Kimsuky Nginx Fake Error 9b43f670

Detects a fake nginx 404 error page that is mainly used by the Kimsuky APT from North Korea.

References

https://twitter.com/Bank_Security/status/1621034213465067520
https://urlscan.io/search/#hash%3A9b43f670273b6a12b2b6894a9e29157c1859717594e98ccc5fb3eea05e71f4ed

IOK Rule (edit)

title: Kimsuky Nginx Fake Error 9b43f670
description: |
  Detects a fake nginx 404 error page that is
  mainly used by the Kimsuky APT from North Korea.

references:
  - https://twitter.com/Bank_Security/status/1621034213465067520
  - https://urlscan.io/search/#hash%3A9b43f670273b6a12b2b6894a9e29157c1859717594e98ccc5fb3eea05e71f4ed

detection:

  fakeHTML:
    html|contains|all:
      - '<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">'
      - '<body bgcolor="white">'
      - '<center>'
      - '<h1>404 Not Found</h1>'
      - '</center>'
      - '<hr>'
      - '<center>nginx</center>'
      

  nginxHeader: # Check for nginx in server response headers
    headers|contains: 'nginx'

  condition: fakeHTML and not nginxHeader

tags:
  - threat_actor.kimsuky_apt
  - target_country.south_korea