Kimsuky APT Targets South Korea with Deceptive PDF Lures
Contents
Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics
Contents
- Introduction
- Infection Chain
- Initial Findings
- Campaign 1
- Looking into PDF document.
- Campaign 2
- Looking into PDF document.
- Technical Analysis
- Campaign 1 & 2
- Conclusion
- Seqrite Protection
- MITRE ATT&CK
- IOCs
Introduction:
Security researchers at Seqrite Labs have recently uncovered two distinct campaigns carried out by the APT group “Kimsuky,” also known as “Black Banshee.” This group has been actively targeting South Korea using evolving tactics. In these campaigns, the threat actors delivered two South Korean government-themed documents as lures, specifically targeting government entities within South Korea.
In this blog, we will delve into the technical details of the campaigns uncovered during our analysis. We will examine the various stages of infection, starting with a phishing email containing an LNK (shortcut) file attachment. The LNK file was designed to drop an obfuscated VBA (Visual Basic for Applications) script, After de-obfuscating the script, we found that …
Contents
- Introduction
- Infection Chain
- Initial Findings
- Campaign 1
- Looking into PDF document.
- Campaign 2
- Looking into PDF document.
- Technical Analysis
- Campaign 1 & 2
- Conclusion
- Seqrite Protection
- MITRE ATT&CK
- IOCs
Introduction:
Security researchers at Seqrite Labs have recently uncovered two distinct campaigns carried out by the APT group “Kimsuky,” also known as “Black Banshee.” This group has been actively targeting South Korea using evolving tactics. In these campaigns, the threat actors delivered two South Korean government-themed documents as lures, specifically targeting government entities within South Korea.
In this blog, we will delve into the technical details of the campaigns uncovered during our analysis. We will examine the various stages of infection, starting with a phishing email containing an LNK (shortcut) file attachment. The LNK file was designed to drop an obfuscated VBA (Visual Basic for Applications) script, After de-obfuscating the script, we found that …
IoC
https://cdn.glitch.global/
http://srvdown.ddns.net
1B90EFF0B4F54DA72B19195489C3AF6C
CE4549607E46E656D8E019624D5036C1
A3353EA094F45915408065D03AE157C4
28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1
64677CAE14A2EC4D393A81548417B61B
F0F63808E17994E91FD397E3A54A80CB
1D64508B384E928046887DD9CB32C2AC
http://srvdown.ddns.net
1B90EFF0B4F54DA72B19195489C3AF6C
CE4549607E46E656D8E019624D5036C1
A3353EA094F45915408065D03AE157C4
28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1
64677CAE14A2EC4D393A81548417B61B
F0F63808E17994E91FD397E3A54A80CB
1D64508B384E928046887DD9CB32C2AC