lazarusholic

Everyday is lazarus.dayβ

Attack Activities by Kimsuky Targeting Japanese Organizations

2024-07-08, JPCERT
https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html
#Kimsuky

Contents

Attack Activities by Kimsuky Targeting Japanese Organizations
JPCERT/CC has confirmed attack activities targeting Japanese organizations by an attack group called Kimsuky in March 2024. This article introduces the attack methods of the group confirmed by JPCERT/CC.
Attack overview
In the attack we identified, the attacker sent a targeted attack email impersonating a security and diplomatic organization. A zip file containing the following files with double file extensions was attached to the email. (File names are omitted.)
(1) [omitted].docx[a large number of spaces].exe
(2) [omitted].docx[a large number of spaces].docx
(3) [omitted].docx[a large number of spaces].docx
To hide the file extension, each file name contains a large number of spaces. The target executes the EXE file in (1), and it eventually leads to malware infection. Figure 1 shows the flow after the EXE file is executed.
The docx files (2) and (3) are decoy documents. The following section explains the infection flow after the EXE file is executed.
Flow of infection
When …