Summary:
The rise of malware in MSC file format is concerning, particularly due to its ability to exploit vulnerabilities and execute commands without raising suspicion among users. The Kimsuky group has been identified as a key actor in distributing this malware, often disguising it as legitimate documents. This trend highlights the need for increased awareness and defense against unconventional malware formats.
#MSC_Malware #KimsukyThreat #CyberDefense
The rise of malware in MSC file format is concerning, particularly due to its ability to exploit vulnerabilities and execute commands without raising suspicion among users. The Kimsuky group has been identified as a key actor in distributing this malware, often disguising it as legitimate documents. This trend highlights the need for increased awareness and defense against unconventional malware formats.
#MSC_Malware #KimsukyThreat #CyberDefense
Keypoints:
Decrease in MS Office document-type malware distribution.
Increase in malware distribution in LNK and CHM formats.
MSC file format malware identified in the second quarter of the year.
Malware exploits vulnerability (CVE-2024-43572) in apds.dll.
MSC files can execute commands via MMC Console Taskpad.
Malware disguised as legitimate documents to avoid detection.
Kimsuky group identified as a distributor of this malware targeting South Korean users.
Multiple cases of malware using misleading file names and icons.
MITRE Techniques
Exploitation for Client Execution (T1203): Utilizes vulnerabilities in software to execute malicious payloads.
Command and Control (T1071): Executes commands via the MMC Console Taskpad to maintain control over compromised systems.
IoC:
[file name] readme(解压密码).msc
[file name] readme (Decryption Code).msc
[file name] 民意信箱滿意度調查表.msc
[file name] 經濟部水利署第五河川分署水域污染詳細訊息.msc
[file name] [DOS] Jess Taylor’s Piece.msc
[file name] [DOS] Secure Document-Jess.msc
[file name] [WSJ] Interview Memo with Dr. Kyung*** Lee(202409).msc
[file name] North Korea’s New Suicide Drone.msc
[file name] 0808-DWnews.msc
[file name] 240422 264-24 SOLO airfield surveys.msc
[file name] 240801_Narang_Conversation_Secretary.msc
[file hash] 026a6ed068b12ea1447ca20d4f82452f
[file hash] 032fd60659a82b9b0fefe1eb1728259d
[file hash] 06745253f1daec97554abab0b5ac6568
[file hash] 0efa89b5a10d42c3c4ca2620f28ea770
[file hash] 14d4bc28f58affbb03b0afd2d756c716
Full Research: https://asec.ahnlab.com/en/84799/