Dissecting the Infection Chain: Technical Analysis of the Kimsuky JavaScript Dropper
Contents
Dissecting the Infection Chain: Technical Analysis of the Kimsuky JavaScript Dropper
This blog analyzes a Kimsuky sample, how the dropper downloads additional stages, and network traffic observed within the infection chain.
Last month, our team came across a few X posts about indicators of compromise related to Kimsuky, a North Korean threat group that has been active since 2012. Kimsuky is predominantly responsible for conducting espionage operations against government entities, think tanks, and subject matter experts. The initial post that we saw contained a network IOC, a file hash, and the names of some LNK files. Security researcher @naumovax subsequently shared snippets of network traffic and a link to an Any.Run Sandbox submission. This blog analyzes the initial sample, how it downloads additional stages, and the network traffic observed within the infection chain.
Initial Sample Details
The first file observed within this intrusion chain is a JavaScript file called Themes.js
. This file starts the …
This blog analyzes a Kimsuky sample, how the dropper downloads additional stages, and network traffic observed within the infection chain.
Last month, our team came across a few X posts about indicators of compromise related to Kimsuky, a North Korean threat group that has been active since 2012. Kimsuky is predominantly responsible for conducting espionage operations against government entities, think tanks, and subject matter experts. The initial post that we saw contained a network IOC, a file hash, and the names of some LNK files. Security researcher @naumovax subsequently shared snippets of network traffic and a link to an Any.Run Sandbox submission. This blog analyzes the initial sample, how it downloads additional stages, and the network traffic observed within the infection chain.
Initial Sample Details
The first file observed within this intrusion chain is a JavaScript file called Themes.js
. This file starts the …
IoC
https://github.com/pulsedive-research/resources/
http://iuh234.medianewsonline.com/umprl.php?uid=
http://iuh234.medianewsonline.com
https://www.virustotal.com/gui/file/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd/detection
https://bazaar.abuse.ch/sample/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd
https://app.any.run/tasks/f19a2b0f-1c63-4b83-a743-250a6e9325a6
https://x.com/naumovax/status/1965055436039839952
https://x.com/suyog41/status/1962466397612834892
http://dwnkl.php
596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd
http://iuh234.medianewsonline.com/umprl.php?uid=
http://iuh234.medianewsonline.com
https://www.virustotal.com/gui/file/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd/detection
https://bazaar.abuse.ch/sample/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd
https://app.any.run/tasks/f19a2b0f-1c63-4b83-a743-250a6e9325a6
https://x.com/naumovax/status/1965055436039839952
https://x.com/suyog41/status/1962466397612834892
http://dwnkl.php
596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd