This article discusses a malware created by the North Korean hacking group Kimsuky, disguised as a legitimate file, 종신안내장v02_곽X환d.zip. The malware mimics a PDF file but is actually a link file. Its hash values are provided, showcasing its malicious nature. Affected: Kimsuky, Malware, Cybersecurity
Keypoints :
- The malware is named 종신안내장v02_곽X환d.zip and is associated with the North Korean hacking group Kimsuky.
- It pretends to be a PDF file but is actually a link file.
- The article provides hash values of the malware, including MD5 and SHA-256.
- Base64 encoded text is included, which is part of the malware’s operation.
- The code analysis reveals that the malware downloads scripts from Dropbox and executes them.
- It creates scheduled tasks in Windows to ensure persistence and regular execution of malicious actions.
MITRE Techniques :
- TA0001 – Initial Access: Utilizes phishing techniques to deliver the malicious file disguised as a PDF.
- TA0003 – Persistence: Creates a scheduled task named “ChromeUpdateTaskMachine” to maintain persistence on the infected system.
- TA0011 – Command and Control: Downloads scripts from Dropbox to execute further actions.
- TA0040 – Lifecycle Management: The malware ensures it re-executes every 30 minutes after the initial run.
Indicator of Compromise :
- [File Name] 종신안내장v02_곽X환d.zip
- [MD5] 40837012253331958723dda63fdfabff
- [SHA-256] 079907b7feab3673a1767dbfbc0626e656f5d3b03b6cff471cc7cf8a1973ab34
- [URL] hxxps://dl.dropboxusercontent.com/scl/fi/lc7j7be3vtd2f3hadv0bz/V02_-D.pdf.pdf?rlkey=wnah9edf39vv8va7gvmo9dymch&st=64lizr6k&dl=0
- [URL] hxxps://dl.dropboxusercontent.com/scl/fi/gs58u6qvvxorzttv09yvt/kxsxhx-x.txt?rlkey=v86pd7i2njm70pfutl0knu68&st=gjvdcw8r&dl=0
Full Story: http://wezard4u.tistory.com/429402
Views: 19