This article analyzes a newly discovered malware identified as either Kimsuky or Konni, focusing on its PowerShell execution and methods of evasion. The malware leverages the mshta.exe utility to execute JavaScript commands that extract sensitive data and communicate with Command and Control (C2) servers. Affected: Kimsuky, Konni, Windows systems, web browsers
Keypoints :
- The malware file size is 1 MB with specific MD5, SHA-1, and SHA-256 hashes defined.
- Utilizes PowerShell through mshta.exe to execute JavaScript embedded in commands.
- Searches for LNK files of a specific size (7116 bytes).
- Extracts data from LNK files to execute a PowerShell script stored in ProgramData.
- Employs an obfuscation technique in JavaScript code to hide malicious behavior.
- Steals cookies and session information from the browser to transmit to an attacker-controlled server.
- Communicates with a Command and Control server to receive additional instructions and malware.
- Performs various malicious actions like credential theft and remote code execution.
MITRE Techniques :
- T1203: Exploit Public-Facing Application – The malware exploits Windows applications (mshta.exe) for command execution.
- T1059.001: Command and Scripting Interpreter: PowerShell – Uses PowerShell for executing commands and running scripts.
- T1086: PowerShell – Executes a PowerShell command through malicious scripts.
- T1071.001: Application Layer Protocol: Web Protocols – Communicates with an external server via HTTP/HTTPS.
- T1499: Endpoint Denial of Service – Engages in activities that lead to a system being overwhelmed or harmed.
Indicator of Compromise :
Full Story: http://wezard4u.tistory.com/429419
Views: 2