This article discusses a malicious VBS script named vbs.html created by the North Korean hacking group Kimsuky, which is distributed via a specific malicious URL. The script uses several obfuscation techniques to evade detection and can execute remote code via HTTP requests, indicating its potential use as a backdoor. Affected: North Korean malware, Kimsuky group, cybersecurity environment
Keypoints :
- The malicious VBS script is named vbs.html and is 1 MB in size.
- It employs several obfuscation techniques, including randomized variable names and hexadecimal string encoding.
- The script uses the `Execute` function to dynamically run strings converted from hexadecimal.
- It communicates with a remote server through HTTP POST requests.
- The specific URL for distribution is hxxp://mrasis.n-e.kr.
- It includes a function named `ikwcpdah` that decodes hexadecimal strings into executable VBScript code.
- WScript.Shell is used to execute commands, like killing the mshta.exe process to hide its operations.
MITRE Techniques :
- T1405: Ingress Tool Transfer – Utilizes HTTP POST requests to communicate and download additional commands from a remote server.
- T1203: Exploit Public-Facing Application – The malicious VBS script exploits vulnerabilities in workplace security to spread its payload.
- T1566: Phishing – Distributed via a malicious URL, potentially as part of a phishing campaign.
- T1086: PowerShell – The script employs PowerShell-like techniques to perform its tasks.
Indicator of Compromise :
- [MD5] a6598bbdc947286c84f951289d14425c
- [SHA-1] 07c7cf4441254e8754aa62150bf8c5365c3825f4
- [SHA-256] 5f23b1ca43f6a18e3c9f21d390f5d1e187b1339b07a1dce70f8338f3be320878
- [Domain] mrasis.n-e.kr
- [URL] hxxp://mrasis.n-e.kr
Full Story: https://wezard4u.tistory.com/429434