This article discusses the malicious activities of the North Korean hacking group Kimsuky, which targets the Korea Association of Defense Industry Studies. The group is known for its various espionage missions, including the distribution of malware disguised as a seminar invitation. The malware is delivered via email and executes harmful scripts upon opening an attached document. Affected: Kimsuky, Korea Association of Defense Industry Studies
Keypoints :
- The North Korean hacking group Kimsuky is responsible for cyber-espionage targeting South Korea and overseas.
- The group distributed malware disguised as an invitation to a defense industry seminar.
- The malware is delivered through an email attachment titled “Korea Defense Industry Digital Innovation Seminar (Plan).”
- Upon execution, the malware prompts for a password before carrying out malicious actions.
- The malware includes scripts that delete, rename, and replicate files to maintain persistence.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The malware uses email as a vector for delivery.
- T1203 – Exploitation for Client Execution: The malicious HWP document exploits the user upon opening.
- T1059.001 – Command and Scripting Interpreter: The malware executes commands through batch scripts.
- T1036.005 – Masquerading: The malware disguises itself as a legitimate seminar invitation.
- T1547.001 – Boot or Logon Autostart Execution: The malware creates scheduled tasks to ensure persistence.
Indicator of Compromise :
- [file name] Korean Defense Industry Association Defense Industry Digital Innovation Seminar (Planned).hwp (in korean)
- [file hash] MD5: 63a119714f01d9ff57c51614c9727f84
- [file hash] SHA-1: aa59e1d70ce58c5882b5890d86e63a3d0b3867da
- [file hash] SHA-256: d7367d9cc84d794ff73e90dd3cc936b18158bac8935ea4c5f1b7fddd821af430
- Check the article for all found IoCs.
Full Research: https://wezard4u.tistory.com/429383