Kimsuky Nginx Fake Error 9b43f670

Detects a fake nginx 404 error page that is mainly used by the Kimsuky APT from North Korea.

References

Recent Detections

None found yet

We've not seen any sites matching this indicator yet. Try scanning a site you think matches this rule:

IOK Rule (edit)

title: Kimsuky Nginx Fake Error 9b43f670
description: |
  Detects a fake nginx 404 error page that is
  mainly used by the Kimsuky APT from North Korea.

references:
  - https://twitter.com/Bank_Security/status/1621034213465067520
  - https://urlscan.io/search/#hash%3A9b43f670273b6a12b2b6894a9e29157c1859717594e98ccc5fb3eea05e71f4ed

detection:

  fakeHTML:
    html|contains|all:
      - '<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">'
      - '<body bgcolor="white">'
      - '<center>'
      - '<h1>404 Not Found</h1>'
      - '</center>'
      - '<hr>'
      - '<center>nginx</center>'
      

  nginxHeader: # Check for nginx in server response headers
    headers|contains: 'nginx'

  condition: fakeHTML and not nginxHeader

tags:
  - threat_actor.kimsuky_apt
  - target_country.south_korea