FOCUS MODE
EXTRACT IOC
Threat Research

Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads

K7computing
Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and Payloads
Kimsuky, a North Korean APT group, has been identified as engaging in sophisticated cyber espionage techniques targeting various nations, including South Korea, Japan, and the U.S. Their attack methods involve a series of malware payloads delivered via a ZIP file, leading to data exfiltration and sensitive information theft. Affected: South Korea, Japan, U.S., cybersecurity sector

Keypoints :

  • Kimsuky, also known as “Black Banshee,” has been active since at least 2012 and is believed to be state-sponsored.
  • The group uses tactics including phishing, malware infections, supply chain attacks, lateral movement, and data exfiltration.
  • Recent IOCs from Kimsuky were shared in a tweet highlighting a ZIP file containing malicious payloads.
  • The ZIP file includes a VBScript and a PowerShell script for executing commands and data collection.
  • Obfuscation techniques are used to bypass detection methods.
  • The malware collects sensitive system information such as BIOS serial numbers and user data from browsers.
  • Several functions within the malware facilitate data collection, file uploads, and Command-and-Control (C2) communication.
  • Persistence mechanisms are employed to maintain access to the compromised system.
  • Keylogging functionalities are implemented to capture user keystrokes and clipboard data.
  • Protection against such threats involves using reputable security software, like K7 Antivirus.

MITRE Techniques :

  • Command and Control (T1071): The malware executes C2 communications to upload collected data and receive additional commands.
  • Data Exfiltration Over Command and Control Channel (T1041): Uploads exfiltrated data in chunks to the attacker’s server using HTTP POST requests.
  • Obfuscated Files or Information (T1027): Utilizes obfuscation in scripts (e.g., VBScript) to evade detection and analysis.
  • System Information Discovery (T1082): Gathers detailed hardware and software information from the compromised system.
  • Input Capture (T1056): Implements keylogging functionality to capture keystrokes for sensitive information extraction.
  • Credential Dumping (T1003): Attempts to extract user credentials stored in browsers (Edge, Firefox, Chrome, Naver Whale).

Indicator of Compromise :

  • [MD5] CE4549607E46E656D8E019624D5036C1 (1.vbs)
  • [MD5] 1119A977A925CA17B554DCED2CBABD85 (1.ps1)
  • [MD5] 64677CAE14A2EC4D393A81548417B61 (1.log)
  • [IOCs not found explicitly matching known patterns or length are disregarded.]

Full Story: https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/

Tags: BROWSER, DISCOVERY, PAYLOAD, CRYPTO, CREDENTIAL, PHISHING, APT, BACKUP