C
æå
ã«
åæé®®ã®APTã°ã«ãŒãKimsukyããAIïŒLLMïŒãå©çšããŠéçºããçãã®ããæ°åããã¯ãã¢ãHelloDoorããçšããæ»æãå±éããŠããŸã
ð äžèšã§ãããš
åæé®®ã®APTã°ã«ãŒãKimsukyããAIïŒLLMïŒãå©çšããŠéçºããçãã®ããæ°åããã¯ãã¢ãHelloDoorããçšããæ»æãå±éããŠããŸãããã®æ»æã¯éåœã®è»ãæ¿åºãé²è¡ç£æ¥ãé信瀟ãªã©ãæšçãšããŠãããRustããŒã¹ã®DLLããã¯ãã¢ãCloudflareã®ãã³ããªã³ã°ãµãŒãã¹ãæªçšããŠæ€ç¥ãåé¿ããŠããŸãããŸããVSCodeãªã¢ãŒããã³ããªã³ã°ãªã©ã®æ£èŠç®¡çããŒã«ãæªçšããæœå
¥ææ³ã確èªãããŠãããæ»æã®å·§åŠåãé²ãã§ããŸãã
ð該åœå€å®
- éåœã®æ¿åºæ©é¢ãè»ããŸãã¯é²è¡ç£æ¥ã«é¢é£ããååŒããã
- 瀟å ã§VSCodeã®ããªã¢ãŒããã³ããªã³ã°ãæ©èœããDWAgentããªã©ã®é é管çããŒã«ãå©çšããŠãã
- éåœã®éä¿¡äŒç€Ÿããè»äºã»æ¿åºé¢ä¿ãåæããã¡ãã£ã¢ã«åŸäºããŠãã
- Cloudflareã®ãTryCloudflareããªã©ã®äžæçãªãã³ããªã³ã°ãµãŒãã¹ã瀟å ãããã¯ãŒã¯ã§å©çšããŠãã
äžèšãããã«ã該åœããªã â é芳ã§OK
â
該åœæã®å¯Ÿå¿
1. äžå¯©ãªã¡ãŒã«ã®æ·»ä»ãã¡ã€ã«ããªã³ã¯ãé¿ããç¹ã«RustããŒã¹ã®DLLãæªç¥ã®ãã€ããªã®å®è¡ãå¶éããããšã 2. VSCodeãªã¢ãŒããã³ããªã³ã°ãDWAgentãªã©ã®ãªã¢ãŒã管çããŒã«ã®å©çšç¶æ³ãç£èŠããæªæ¿èªã®ããŒã«å°å
¥ãçŠæ¢ããããšã 3. Cloudflareãªã©ã®ãã³ããªã³ã°ãµãŒãã¹çµç±ã®äžå¯©ãªã¢ãŠãããŠã³ãéä¿¡ãç£èŠã»é®æããããšã
ð§ ã¡ãŒã«æ¡ãèŠã (管çè åã)
â ïž ãã㯠AI ãçæããåèäŸã§ããé
ä¿¡åã«å¿
ãå
容ãã確èªã®ããã貎瀟ã®ç¶æ³ã«åãããŠç·šéããŠãå©çšãã ãããå®éã®è¢«å®³ç¶æ³ãèªç€Ÿã®å©çšç°å¢ãèžãŸããå€æã¯ã貎瀟ã®ã»ãã¥ãªãã£è²¬ä»»è
ã«ã確èªãã ããã
件å: ãå
±æãKimsukyã«ããAI掻çšåæ°åããã¯ãã¢ãHelloDoorããžã®å¯Ÿå¿ã«ã€ããŠ
ãç²ãããŸã§ããKimsukyã«ããææ°ã®æ»æãã£ã³ããŒã³ã«é¢ããæ å ±å ±æã§ãã
â æŠèŠ
åæé®®ã®APTã°ã«ãŒãKimsukyããAIïŒLLMïŒãçšããŠéçºãããšãããRustããŒã¹ã®æ°åããã¯ãã¢ãHelloDoorãã䜿çšããŠããŸããCloudflareã®TryCloudflareãµãŒãã¹ãC2ãµãŒããŒãšããŠå©çšãã远跡ãå°é£ã«ããææ³ã確èªãããŠããŸãããŸããVSCodeãªã¢ãŒããã³ããªã³ã°ãDWAgentãªã©ã®æ£èŠããŒã«ãæªçšããŠæœå ¥ããåŸåããããŸãã
â 圱é¿ç¯å²
- éåœã®æ¿åºã»è»ã»é²è¡ç£æ¥ã»éä¿¡åéïŒåœå çµç¹ã«ãããŠãåæ§ã®ææ³ã䜿ãããå¯èœæ§ããããã泚æãå¿ èŠïŒ
â 察å¿æé
1. ãšã³ããã€ã³ãã«ãããRustããŒã¹ã®æªç¥ã®DLLãã¡ã€ã«ã®çæããã³å®è¡ãç£èŠããŠãã ããã
2. ãããã¯ãŒã¯å¢çã«ãããŠãTryCloudflareçã®ãã³ããªã³ã°ãµãŒãã¹ãžã®äžå¯©ãªéä¿¡ãæ€ç¥ã»é®æããèšå®ã確èªããŠãã ããã
3. VSCode Remote Tunnelsçã®ãªã¢ãŒã管çããŒã«ã®å©çšç¶æ³ãç£æ»ããæ£åœãªçç±ã®ãªãå©çšãå¶éããŠãã ããã
â åèæ å ±
- Kaspersky Deep Analysis Report
察å¿åªå 床: é«
察å¿æé: éããã«ç¢ºèª
ãç²ãããŸã§ããKimsukyã«ããææ°ã®æ»æãã£ã³ããŒã³ã«é¢ããæ å ±å ±æã§ãã
â æŠèŠ
åæé®®ã®APTã°ã«ãŒãKimsukyããAIïŒLLMïŒãçšããŠéçºãããšãããRustããŒã¹ã®æ°åããã¯ãã¢ãHelloDoorãã䜿çšããŠããŸããCloudflareã®TryCloudflareãµãŒãã¹ãC2ãµãŒããŒãšããŠå©çšãã远跡ãå°é£ã«ããææ³ã確èªãããŠããŸãããŸããVSCodeãªã¢ãŒããã³ããªã³ã°ãDWAgentãªã©ã®æ£èŠããŒã«ãæªçšããŠæœå ¥ããåŸåããããŸãã
â 圱é¿ç¯å²
- éåœã®æ¿åºã»è»ã»é²è¡ç£æ¥ã»éä¿¡åéïŒåœå çµç¹ã«ãããŠãåæ§ã®ææ³ã䜿ãããå¯èœæ§ããããã泚æãå¿ èŠïŒ
â 察å¿æé
1. ãšã³ããã€ã³ãã«ãããRustããŒã¹ã®æªç¥ã®DLLãã¡ã€ã«ã®çæããã³å®è¡ãç£èŠããŠãã ããã
2. ãããã¯ãŒã¯å¢çã«ãããŠãTryCloudflareçã®ãã³ããªã³ã°ãµãŒãã¹ãžã®äžå¯©ãªéä¿¡ãæ€ç¥ã»é®æããèšå®ã確èªããŠãã ããã
3. VSCode Remote Tunnelsçã®ãªã¢ãŒã管çããŒã«ã®å©çšç¶æ³ãç£æ»ããæ£åœãªçç±ã®ãªãå©çšãå¶éããŠãã ããã
â åèæ å ±
- Kaspersky Deep Analysis Report
察å¿åªå 床: é«
察å¿æé: éããã«ç¢ºèª
Subject: [Intel] Kimsuky's AI-enhanced Backdoor 'HelloDoor' and Stealthy Infiltration
Dear Security Team,
We are sharing intelligence regarding a new campaign by the Kimsuky APT group.
â Overview
Kimsuky has deployed a new Rust-based DLL backdoor named 'HelloDoor,' which exhibits characteristics of AI-assisted development (LLM). The attackers are using Cloudflare's 'TryCloudflare' service to mask C2 infrastructure and are leveraging legitimate tools such as VSCode remote tunneling and DWAgent for stealthy access.
â Scope
- Primarily targeting South Korean government, military, defense, and telecom sectors.
â Recommended Actions
1. Monitor for the execution of unauthorized Rust-based DLLs on endpoints.
2. Audit and restrict outbound traffic to tunneling services like TryCloudflare if not required for business.
3. Review the usage of remote management tools (e.g., VSCode Remote Tunnels) to ensure they are not being used as persistence mechanisms.
â Reference
- Kaspersky Deep Analysis Report
Priority: High
Deadline: Immediate review
Dear Security Team,
We are sharing intelligence regarding a new campaign by the Kimsuky APT group.
â Overview
Kimsuky has deployed a new Rust-based DLL backdoor named 'HelloDoor,' which exhibits characteristics of AI-assisted development (LLM). The attackers are using Cloudflare's 'TryCloudflare' service to mask C2 infrastructure and are leveraging legitimate tools such as VSCode remote tunneling and DWAgent for stealthy access.
â Scope
- Primarily targeting South Korean government, military, defense, and telecom sectors.
â Recommended Actions
1. Monitor for the execution of unauthorized Rust-based DLLs on endpoints.
2. Audit and restrict outbound traffic to tunneling services like TryCloudflare if not required for business.
3. Review the usage of remote management tools (e.g., VSCode Remote Tunnels) to ensure they are not being used as persistence mechanisms.
â Reference
- Kaspersky Deep Analysis Report
Priority: High
Deadline: Immediate review