Kimsuky group appears to be exploiting OneNote like the cybercrime group
Contents
Kimsuky group appears to be exploiting OneNote like the cybercrime group
Author: BLKSMTH | S2W TALON
Last Modified: Mar 17, 2023
Executive Summary
- We have confirmed that the Kimsuky group is distributing malware using a malicious OneNote (.ONE) file, which cybercriminals have widely used.
- When viewed, the ONE file displays an image of the Institute for Peace and Democracy at Korea University and asks the target to fill out a privacy agreement document in order to pay them for participating in a survey.
- The HWP file is a simple image, not a real attachment, and double-clicking on its location executes a malicious VBS script hidden behind the image to download additional malware.
- While the final payload is unavailable, the Kimsuky group is believed to be behind this malicious OneNote campaign due to the same parameters the group has used to distribute the Babyshark malware and the use of a recompense theme.
Technical Details
On March …
Author: BLKSMTH | S2W TALON
Last Modified: Mar 17, 2023
Executive Summary
- We have confirmed that the Kimsuky group is distributing malware using a malicious OneNote (.ONE) file, which cybercriminals have widely used.
- When viewed, the ONE file displays an image of the Institute for Peace and Democracy at Korea University and asks the target to fill out a privacy agreement document in order to pay them for participating in a survey.
- The HWP file is a simple image, not a real attachment, and double-clicking on its location executes a malicious VBS script hidden behind the image to download additional malware.
- While the final payload is unavailable, the Kimsuky group is believed to be behind this malicious OneNote campaign due to the same parameters the group has used to distribute the Babyshark malware and the use of a recompense theme.
Technical Details
On March …
IoC
185.176.43.98
aa756b20170aa0869d6f5d5b5f1b7c37
f2a0e92b80928830704a00c91df87644
http://delps.scienceontheweb.net/ital/info/list.php?query=1
http://delps.scienceontheweb.net/ital/info/sample.hwp
aa756b20170aa0869d6f5d5b5f1b7c37
f2a0e92b80928830704a00c91df87644
http://delps.scienceontheweb.net/ital/info/list.php?query=1
http://delps.scienceontheweb.net/ital/info/sample.hwp