Analysis of Kimsuky APT Group (Powershell Payloads one of them attributed to XWorm RAT)
Contents
Analysis of Kimsuky APT Group (Powershell Payloads one of them attributed to XWorm RAT)
Summary
- I have analyzed two powershell payloads which are affiliated to Kimsuky and XWorm RAT.
- Both of the payloads are Base64 encoded.
- After decoding both of the payloads in CyberChef it gives out what it is performing.
- The RAT downloads few files, such as rar, exe, etc. All from single IP address.
- The APT also downloads few of the files from the same IP address.
- Both worm and APT are used to gain RDP connection to your actual IP bypassing the hypervisors.
Analysis of XWorm RAT (Powershell Script)
The figure shows a process tree or attack chain, from ANY.RUN. It illustrates how an initial execution of powershell.exe
leads to a series of spawned processes, commonly used in post-exploitation or malware activity.
- Multiple instances of
cmd.exe
andpowershell.exe
suggest command execution loops. - The use of legitimate binaries (like
csc.exe
,slui.exe
,sppextcomobj.exe
) indicates evasion tactics (Living-off-the-Land Binaries and …
Summary
- I have analyzed two powershell payloads which are affiliated to Kimsuky and XWorm RAT.
- Both of the payloads are Base64 encoded.
- After decoding both of the payloads in CyberChef it gives out what it is performing.
- The RAT downloads few files, such as rar, exe, etc. All from single IP address.
- The APT also downloads few of the files from the same IP address.
- Both worm and APT are used to gain RDP connection to your actual IP bypassing the hypervisors.
Analysis of XWorm RAT (Powershell Script)
The figure shows a process tree or attack chain, from ANY.RUN. It illustrates how an initial execution of powershell.exe
leads to a series of spawned processes, commonly used in post-exploitation or malware activity.
- Multiple instances of
cmd.exe
andpowershell.exe
suggest command execution loops. - The use of legitimate binaries (like
csc.exe
,slui.exe
,sppextcomobj.exe
) indicates evasion tactics (Living-off-the-Land Binaries and …
IoC
http://\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations.
92.119.114.128
185.235.128.114
rule Inline_CSharp_ShowWindow_Hider
{
meta:
description = “Detects PowerShell using inline C# with ShowWindow from user32.dll to hide windows”
author = “ChatGPT”
reference = “Threat behavior: stealth hiding via API”
date = “2025–05–10”
severity = “medium”
strings:
$ps_add_type = “Add-Type” nocase
$dll_import = “[DllImport(\”user32.dll\”)]” nocase
$show_window = “ShowWindow” nocase
$hide_call = “ShowWindow(hWnd, 0” nocase
$powershell_indicator = “System.Management.Automation” wide ascii
condition:
(1 of ($ps_add_type, $powershell_indicator)) and
$dll_import and
$show_window and
$hide_call
}
92.119.114.128
185.235.128.114
rule Inline_CSharp_ShowWindow_Hider
{
meta:
description = “Detects PowerShell using inline C# with ShowWindow from user32.dll to hide windows”
author = “ChatGPT”
reference = “Threat behavior: stealth hiding via API”
date = “2025–05–10”
severity = “medium”
strings:
$ps_add_type = “Add-Type” nocase
$dll_import = “[DllImport(\”user32.dll\”)]” nocase
$show_window = “ShowWindow” nocase
$hide_call = “ShowWindow(hWnd, 0” nocase
$powershell_indicator = “System.Management.Automation” wide ascii
condition:
(1 of ($ps_add_type, $powershell_indicator)) and
$dll_import and
$show_window and
$hide_call
}