This article examines a piece of malware called “241002-2024 GA Sales Department Distribution (October)” created by the North Korean hacking group Kimsuky, which exploits PowerShell to execute malicious scripts and includes various backdoor functionalities. Affected: North Korean cyber activities, information security sector
Keypoints :
- The malware is named “241002-2024년 GA영업본부 담당지점 배분(10월)” and has a file size of 318,318 bytes.
- It contains Base64 encoded code that can be decoded using CyberChef.
- The malware downloads a PDF file from Dropbox and executes it immediately.
- It generates a PowerShell script “chrome.ps1” for further malicious activities.
- A scheduled task is created to ensure persistence on the infected system.
- The malware aims to install a backdoor, run a keylogger, and exfiltrate data.
MITRE Techniques :
- T1059.001 – Command and Scripting Interpreter: PowerShell used to execute scripts.
- T1056.001 – Input Capture: Keylogging functionalities embedded within the scripts.
- T1203 – Exploitation for Client Execution: The malware exploits vulnerable applications (e.g., PDF readers) to execute malicious code.
- T1037 – Boot or Logon Autostart Execution: A scheduled task is created for persistence, ensuring it runs at system startup.
- T1071.001 – Application Layer Protocol: Leveraging HTTP/HTTPS for communication with Dropbox to retrieve malicious payloads.
Indicator of Compromise :
- [File Name] 241002-2024년 GA영업본부 담당지점 배분(10월) v2.pdf.lnk
- [MD5] 8a08fd5e8298c823e4ab356508d70490
- [SHA-1] 086be54505ef95d83be71d6b1e959610d36dc619
- [SHA-256] 71d56c61b765eee74dca65910ab9e0e2b35b21bcf6c97241ca7188a75f082f6f
- [URLs] hxxps://dl.dropboxusercontent(.)com/scl/fi/vx23391zdxqu3qirc5z7g/241002-2024-GA-10-v2(.)pdf?rlkey=ih6seocq7csa4iab3md4m(9)m08&st=6sj4yyzp&dl=0
Full Story: https://wezard4u.tistory.com/429397