Kimsuky Targets South Korean Research Institutes with Fake Import Declaration
Contents
AhnLab Security Emergency response Center (ASEC) has recently identified that the Kimsuky threat group is distributing a malicious JSE file disguised as an import declaration to research institutes in South Korea. The threat actor ultimately uses a backdoor to steal information and execute commands.
The file name of the dropper disguised as an import declaration is as follows.
- Import Declaration_Official Stamp Affixed.jse
The file contains an obfuscated PowerShell script, a Base64-encoded backdoor file, and a legitimate PDF file.
A legitimate PDF file is saved under the file name ‘Import Declaration.PDF’ and automatically executed by the PowerShell script. This file contains the attack target’s information. Creating and executing a legitimate PDF file is likely done to prevent users from recognizing that a malicious backdoor file is being executed in the process.
In the background, a backdoor is created in the %ProgramData% path under the file name ‘vuVvMKg.i3IO’, and the malware is run using rundll32.exe.
- powershell.exe …
The file name of the dropper disguised as an import declaration is as follows.
- Import Declaration_Official Stamp Affixed.jse
The file contains an obfuscated PowerShell script, a Base64-encoded backdoor file, and a legitimate PDF file.
A legitimate PDF file is saved under the file name ‘Import Declaration.PDF’ and automatically executed by the PowerShell script. This file contains the attack target’s information. Creating and executing a legitimate PDF file is likely done to prevent users from recognizing that a malicious backdoor file is being executed in the process.
In the background, a backdoor is created in the %ProgramData% path under the file name ‘vuVvMKg.i3IO’, and the malware is run using rundll32.exe.
- powershell.exe …
IoC
d2335df6d17fc7c2a5d0583423e39ff8
d6abeeb469e2417bbcd3c122c06ba099
http://rscnode.dothome.co.kr/index.php
http://rscnode.dothome.co.kr/upload.php
d6abeeb469e2417bbcd3c122c06ba099
http://rscnode.dothome.co.kr/index.php
http://rscnode.dothome.co.kr/upload.php