This article discusses a malware disguised as a public document created by Kimsuky, specifically a malicious file named 공적 조서(개인,양식).lnk. The malware operates through PowerShell and is designed to extract and execute harmful data. Affected: Kimsuky, malware victims, cybersecurity sector
Keypoints :
- The malware is a .lnk file that executes PowerShell commands.
- It searches for files in the C:WindowsSysWow64WindowsPowerShellv1.0 directory.
- Extracts data from specific offsets in the .lnk file and saves them as .hwpx and executable files.
- Creates temporary files (elephant.dat, sharke.bat, caption.dat) in the %temp% directory.
- The malware targets individuals related to North Korea, such as defectors or officials.
MITRE Techniques :
- T1027 – Obfuscated Files or Information: The malware obfuscates its actions to evade detection.
- T1059.001 – Command and Scripting Interpreter: PowerShell is used to execute commands and scripts.
- T1036 – Masquerading: The malware disguises itself as a legitimate public document.
- T1203 – Exploitation for Client Execution: The malware exploits user actions to execute malicious payloads.
Indicator of Compromise :
- [file name] 공적조서(개인,양식).lnk
- [file size] 232,042,783 Bytes
- [file hash] MD5: 5adfa76b72236bf017f7968fd012e968
- [file hash] SHA-1: 5f0d09853fb459500237105201bbf33c09da2126
- [file hash] SHA-256: 7df7ad7b88887a06b559cd453e7b65230d0cccff1a403328a521d8753000c6c
- Check the article for all found IoCs.
Full Story: https://wezard4u.tistory.com/429386
Views: 0
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português