lazarusholic

Everyday is lazarus.dayβ

Analysis of Kimsuky APT Group (Powershell Payloads one of them attributed to XWorm RAT)

2025-05-12, Shubho57
https://medium.com/@shubhandrew/analysis-of-kimsuky-apt-group-powershell-payloads-one-of-them-attributed-to-xworm-rat-ea8a96ea53fe
#Kimsuky #XWorm

Contents

Analysis of Kimsuky APT Group (Powershell Payloads one of them attributed to XWorm RAT)
Summary
- I have analyzed two powershell payloads which are affiliated to Kimsuky and XWorm RAT.
- Both of the payloads are Base64 encoded.
- After decoding both of the payloads in CyberChef it gives out what it is performing.
- The RAT downloads few files, such as rar, exe, etc. All from single IP address.
- The APT also downloads few of the files from the same IP address.
- Both worm and APT are used to gain RDP connection to your actual IP bypassing the hypervisors.
Analysis of XWorm RAT (Powershell Script)
The figure shows a process tree or attack chain, from ANY.RUN. It illustrates how an initial execution of powershell.exe
leads to a series of spawned processes, commonly used in post-exploitation or malware activity.
- Multiple instances of
cmd.exe
andpowershell.exe
suggest command execution loops. - The use of legitimate binaries (like
csc.exe
,slui.exe
,sppextcomobj.exe
) indicates evasion tactics (Living-off-the-Land Binaries and …

IoC

http://\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations.
92.119.114.128
185.235.128.114
rule Inline_CSharp_ShowWindow_Hider
{
meta:
description = “Detects PowerShell using inline C# with ShowWindow from user32.dll to hide windows”
author = “ChatGPT”
reference = “Threat behavior: stealth hiding via API”
date = “2025–05–10”
severity = “medium”
strings:
$ps_add_type = “Add-Type” nocase
$dll_import = “[DllImport(\”user32.dll\”)]” nocase
$show_window = “ShowWindow” nocase
$hide_call = “ShowWindow(hWnd, 0” nocase
$powershell_indicator = “System.Management.Automation” wide ascii
condition:
(1 of ($ps_add_type, $powershell_indicator)) and
$dll_import and
$show_window and
$hide_call
}