Kimsucky 2
Contents
Kimsucky 2
Introduction
In my previous blog post, I covered the analysis of a North Korean-based APT group called Kimsucky APT. We examined a malicious document that utilized a PowerShell script for the adversary’s purposes. Let’s revise some key points about Kimsucky :
- Targets: Primarily targets organizations in South Korea, Japan, and the United States
- Techniques: Often uses malicious documents containing exploits or links to download malware that can steal data or provide remote access.
- Tactics: Employs social engineering techniques (like spear phishing) and watering hole attacks to gain initial access to victim systems.
I found this particular sample of the Kimsucky in wild while doing my daily after wake-up bazaar browsing. Interestingly the sample is very simple and will help people understand how Powershell works. Unfortunately the sample I found didn’t had any connections or the C2’s IP was missing from the script.
Powershell Analysis
Server Connection
Even though the script itself is not at …
Introduction
In my previous blog post, I covered the analysis of a North Korean-based APT group called Kimsucky APT. We examined a malicious document that utilized a PowerShell script for the adversary’s purposes. Let’s revise some key points about Kimsucky :
- Targets: Primarily targets organizations in South Korea, Japan, and the United States
- Techniques: Often uses malicious documents containing exploits or links to download malware that can steal data or provide remote access.
- Tactics: Employs social engineering techniques (like spear phishing) and watering hole attacks to gain initial access to victim systems.
I found this particular sample of the Kimsucky in wild while doing my daily after wake-up bazaar browsing. Interestingly the sample is very simple and will help people understand how Powershell works. Unfortunately the sample I found didn’t had any connections or the C2’s IP was missing from the script.
Powershell Analysis
Server Connection
Even though the script itself is not at …
IoC
87b5a1f79a2be17401d8b2d354c61619ce6195b57e8a5183f78b98e233036062
c81ed44799aefb540123159618f7507c
fd23177a4481f39fe53a306e2d7fe282cb30a87d
c81ed44799aefb540123159618f7507c
fd23177a4481f39fe53a306e2d7fe282cb30a87d