This article discusses a malicious file named test.zip created by the North Korean group Kimsuky, which contains Cobalt Strike malware. The file is designed to deceive users into executing it, disguising itself as a legitimate document. The article provides details on the malware’s characteristics, its execution process, and the indicators of compromise associated with it. Affected: Kimsuky, Cobalt Strike, Windows systems
Keypoints :
- The malicious file is named test.zip and has a size of 15,282 bytes.
- It contains PowerShell code that extracts a hidden payload from a .lnk file.
- The malware disguises itself as svchost.exe to evade detection.
- It utilizes social engineering techniques to mislead users into executing the malware.
- Indicators of compromise include file hashes and detection by various antivirus solutions.
MITRE Techniques :
- Execution (T1203): The malware executes PowerShell commands to run the malicious payload.
- Obfuscated Files or Information (T1027): The malware uses obfuscation techniques to hide its true nature.
- Command and Control (T1071): The malware communicates with a C2 server at hxxp://c-csigns(.)com.
- Masquerading (T1036): The malware masquerades as a legitimate svchost.exe process.
Indicator of Compromise :
- [file name] test.zip
- [file hash] MD5: 8d3dd8b5a883a2080525a11807b2a6e1
- [file hash] SHA-1: da3cbfad064e12c4334161a00335c0176011d0c2
- [file hash] SHA-256: c2faf67cab95cba996e6b705e9579ffbc53fec55b09064308c2c38dbf6018077
- [url] hxxp://c-csigns(.)com:443/686c6c647a_B(.)gif
- Check the article for all found IoCs.
Full Research: https://wezard4u.tistory.com/429381