Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)
Contents
AhnLab SEcurity intelligence Center (ASEC) has identified the details of the Kimsuky threat group recently exploiting a vulnerability (CVE-2017-11882) in the equation editor included in MS Office (EQNEDT32.EXE) to distribute a keylogger. The threat actor distributed the keylogger by exploiting the vulnerability to run a page with an embedded malicious script with the mshta process.
The page that mshta connects to is http://xxxxxxxxxxx.xxxxxx.xxxxxxxx.com/images/png/error.php and uses the file name error.php. As shown in Figure 2, the “Not Found” message makes it seem to the user as if a connection is not being established, but the malicious script is being run.
Figure 3 shows the content of error.php. Major behaviors include downloading an additional malware strain from the C2 (Query=50) via a PowerShell command, creating a file named desktop.ini.bak under the Users\Public\Pictures path, and registering the desktop.ini.bak file in the Run key under HKLM with the name “Clear Web History” to allow it to …
The page that mshta connects to is http://xxxxxxxxxxx.xxxxxx.xxxxxxxx.com/images/png/error.php and uses the file name error.php. As shown in Figure 2, the “Not Found” message makes it seem to the user as if a connection is not being established, but the malicious script is being run.
Figure 3 shows the content of error.php. Major behaviors include downloading an additional malware strain from the C2 (Query=50) via a PowerShell command, creating a file named desktop.ini.bak under the Users\Public\Pictures path, and registering the desktop.ini.bak file in the Run key under HKLM with the name “Clear Web History” to allow it to …
IoC
279c86f3796d14d2a4d89049c2b3fa2d
5bfeef520eb1e62ea2ef313bb979aeae
d404ab9c8722fc97cceb95f258a2e70d
5bfeef520eb1e62ea2ef313bb979aeae
d404ab9c8722fc97cceb95f258a2e70d