
North Korean Konni Group s DevSupply Campaign
Indicators of Compromise
No domains found for this campaign
APT Groups2
Summary of Actor:Kimsuky, also known as Velvet Chollima, is a North Korean threat actor group primarily engaged in cyber espionage. They are known for targeting South Korea, Japan, and the United States, with a focus on government, think tanks, and human rights organizations. General Features:Kimsuky employs phishing and social engineering techniques to gain initial access, often using spear-phishing emails with malicious attachments or links. They leverage publicly available tools and custom malware to conduct their operations. Related Other Groups: APT37,APT38 Indicators of Attack (IoA): Suspicious email attachments and links Use of PowerShell for command execution Domain generation algorithms (DGA) Recent Activities and Trends: Latest Campaigns : Kimsuky has been active in targeting COVID-19 vaccine developers, conducting phishing campaigns to steal sensitive information related to vaccine research. Emerging Trends : Recent observations indicate a shift towards targeting cloud services and employing advanced obfuscation techniques to evade detection.
Summary of Actor:Opal Sleet is a sophisticated cyber threat actor known for its advanced persistent threats (APTs). This group is believed to operate with state sponsorship and has been active since at least 2015. They specialize in espionage and data exfiltration. General Features:Opal Sleet utilizes a combination of zero-day vulnerabilities, sophisticated malware, and social engineering techniques to infiltrate target networks. They often employ custom tools and maintain a low profile to avoid detection. Related Other Groups: Silver Rain,Golden Hawk Indicators of Attack (IoA): Suspicious logins from unusual locations Abnormal data transfer activities Presence of specific malware signatures linked to the group Recent Activities and Trends: Latest Campaigns : Opal Sleet has recently been linked to a campaign targeting defense contractors in North America using spear-phishing emails containing malicious attachments. Emerging Trends : The group has been observed shifting towards using more fileless malware techniques which are harder to detect and increasing their focus on cryptocurrency exchanges.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
Spearphishing Link (T1566.002)
ID | Name | Analytic ID | Analytic Description |
Correlation of inbound emails with embedded links followed by user-driven browser navigation to suspicious or obfuscated domains. Detection chain includes malicious URL in email → user click recorded in Office logs → browser process spawning unusual child processes (e.g., PowerShell, cmd) or download activity. | |||
Detection of spearphishing links through mail logs and browser activity. Behavior includes email with suspicious URLs → user click recorded in mail/web proxy logs → shell or interpreter launched from browser process. | |||
Correlation of Mail.app logs with Safari/Chrome activity. Suspicious behavior includes email links → Safari/Chrome accessing newly registered or lookalike domains → osascript or Terminal spawned unexpectedly. | |||
Detection of OAuth consent phishing or malicious login attempts initiated through spearphishing links. Behavior chain includes inbound email with OAuth URL → consent page visited → unusual token grants logged in IdP logs. |
SyncAppvPublishingServer (T1216.002)
ID | Name | Analytic ID | Analytic Description |
Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse | Execution of SyncAppvPublishingServer.vbs through wscript.exe with a command-line containing embedded PowerShell, proxying malicious PowerShell execution through a Microsoft-signed VBScript interpreter to evade detection and restrictions. |
Scheduled Task/Job: Scheduled Task(T1053.005)
ID | Name | Analytic ID | Analytic Description |
Detection of Suspicious Scheduled Task Creation and Execution on Windows | Detects the creation, modification, or deletion of scheduled tasks through Task Scheduler, WMI, PowerShell, or API-based methods followed by execution from svchost.exe or taskeng.exe. Includes detection of hidden or anomalous scheduled tasks, especially those created under SYSTEM or suspicious user contexts. |
Impair Defenses: Disable or Modify Tools(T1562.001)
ID | Name | Analytic ID | Analytic Description |
Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. | Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry. | ||
Detection of adversaries attempting to stop or disable host-based security agents by killing daemons, unloading kernel modules, or modifying init/systemd service configurations. | |||
Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or using security/uninstall commands to remove agents. | |||
Detection of adversaries disabling cloud monitoring and logging agents such as CloudWatch, Google Cloud Monitoring, or Azure Monitor by API calls or agent process termination. | |||
Detection of adversaries tampering with container runtime security plugins, disabling admission controllers, or stopping monitoring sidecars. | |||
Detection of adversaries modifying startup configuration files to disable signature verification, logging, or monitoring features. |