Kimsuky Espionage Campaign
Contents
Kimsuky Espionage Campaign
A few days ago, we found an exciting Javascript file masquerading as a PDF that, upon activation, will drop and display a PDF (to maintain the ruse) as well as drop an executable. The document is a lure for the Korean Foreign Ministry document and its newsletter. The same attack was reported earlier by Malwarebytes in June.
Apparently, the threat actor behind this campaign is still using this infrastructure and infection technique.
|File Type||Javascript|
|Sha 256||20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd|
|Size||27.31 MB (28634023 bytes)|
The document shows shallow detection on the VT service. At the beginning of the check, the detection showed 3/58.
We found this very interesting, so we decided to delve deeper into the study of its technical composition.
Opening the document in a Hex editor, we see that it is filled with data that is encoded in Base64. In order to continue our study, it is necessary to extract this data to see what it contains. …
A few days ago, we found an exciting Javascript file masquerading as a PDF that, upon activation, will drop and display a PDF (to maintain the ruse) as well as drop an executable. The document is a lure for the Korean Foreign Ministry document and its newsletter. The same attack was reported earlier by Malwarebytes in June.
Apparently, the threat actor behind this campaign is still using this infrastructure and infection technique.
|File Type||Javascript|
|Sha 256||20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd|
|Size||27.31 MB (28634023 bytes)|
The document shows shallow detection on the VT service. At the beginning of the check, the detection showed 3/58.
We found this very interesting, so we decided to delve deeper into the study of its technical composition.
Opening the document in a Hex editor, we see that it is filled with data that is encoded in Base64. In order to continue our study, it is necessary to extract this data to see what it contains. …
IoC
0A4f2cff4d4613c08b39c9f18253af0fd356697368eecddf7c0fa560386377e6
0a4f2cff4d4613c08b39c9f18253af0fd356697368eecddf7c0fa560386377e6
20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd
3251c02ff0fc90dccd79b94fb2064fb3d7f870c69192ac1f10ad136a43c1ccea
a30afeea0bb774b975c0f80273200272e0bc34e3d93caed70dc7356fc156ffc3
ae50cf4339ff2f2b3a50cf8e8027b818b18a0582e143e842bf41fdb00e0bfba5
e5bd835a7f26ca450770fd61effe22a88f05f12bd61238481b42b6b8d2e8cc3b
fa4d05e42778581d931f07bb213389f8e885f3c779b9b465ce177dd8750065e2
http://texts.letterpaper.press
0a4f2cff4d4613c08b39c9f18253af0fd356697368eecddf7c0fa560386377e6
20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd
3251c02ff0fc90dccd79b94fb2064fb3d7f870c69192ac1f10ad136a43c1ccea
a30afeea0bb774b975c0f80273200272e0bc34e3d93caed70dc7356fc156ffc3
ae50cf4339ff2f2b3a50cf8e8027b818b18a0582e143e842bf41fdb00e0bfba5
e5bd835a7f26ca450770fd61effe22a88f05f12bd61238481b42b6b8d2e8cc3b
fa4d05e42778581d931f07bb213389f8e885f3c779b9b465ce177dd8750065e2
http://texts.letterpaper.press