A recent watering hole attack was identified, targeting applicants for an educational program in the field of unification at a prominent university. Attackers embedded malicious HWP file links in a notice post, which when executed, creates further malicious files and executes them to maintain persistence in the infected systems. This incident is suspected to be linked with the Kimsuky group, known for their North Korean cyber operations. Affected: University Students, Educational Sector, Cybersecurity.
Keypoints :
- A watering hole attack discovered using application files from an educational program.
- Malicious code was embedded in a notice post on a university website.
- Users downloading the HWP file were infected upon execution.
- The attack involved the creation of additional malicious files within the user’s %TEMP% folder.
- Persistence was maintained through scheduled tasks and file renaming to execute malicious scripts.
- The attackers are suspected to be affiliated with the Kimsuky group due to the nature of the tactics used.
- Detection of the malicious files includes terms like Exploit.HWP.Agent and Trojan.Script.Agent.
MITRE Techniques :
- TA0001 – Initial Access: Users are tricked into executing malicious application files.
- TA0002 – Execution: The document.bat file executes scripts to maintain persistence.
- TA0003 – Persistence: Scheduled tasks are created to ensure repeated execution of malware.
- TA0005 – Defense Evasion: The use of file renaming and OLE objects to evade detection.
- TA0011 – Command and Control: Contacting attacker servers for further instructions and data retrieval.
Indicator of Compromise :
- [IP Address] 103.149.98[.]231
- [URL] hxxp://103.149.98[.]231/pprb/0304_pprb/d.php?newpa=comline
- [MD5] 4EDAE618F59180577A196FA5BAB89BB4
- [SHA-1] 49C91F24B6E11773ACD7323612470FFBCE7FA1DC
- [SHA-256] F7FAF50F954076525E24020E964ED646
Full Story: https://blog.alyac.co.kr/5534