lazarusholic

Everyday is lazarus.dayβ

Kimsuky 4

2024-04-10, somedieyoungZZ
https://somedieyoungzz.github.io/posts/kimsuky-4/
#Kimsuky #LNK

Contents

Kimsuky 4
Introduction
Finally today we look take a look at another Kimsuky sample that was uploaded by our fellow researcher Neo on X. This time, the group set its sights on the Embassy of the Republic of Korea in China, leveraging a devious .lnk file as the initial attack vector . APT groups, like Kimsuky, exploit LNK files because they disguise malicious payloads as familiar shortcuts. These seemingly harmless icons trick targets into clicking, which then triggers the download and execution of malware that steals sensitive information or grants unauthorized access to systems.
VT shows a result of 30/59. Looks like Kimsuky has scored well on the test today. We can see the Kimsuky family label already detected through the signatues.
LNK Parser
We will use a tool called LnkParse that allows us to view the content of Windows shortcut (.LNK) files in a JSON format. We can see alot of powershell code that’s …

IoC

075d7249d09f14cbf0a4ffcb077c77512d3ab9a0
a4bd6d00abbd79ab00161ff538cfe703
fe156159a26f8b7c140db61dd8b136e1c8103a800748fe9b70a3a3fdf179d3c3