Malicious LNK Files Distributing a Python-Based Backdoor and Changes in Distribution Techniques (Kimsuky Group)
Contents
Malicious LNK Files Distributing a Python-Based Backdoor and Changes in Distribution Techniques (Kimsuky Group)
Overview
AhnLab SEcurity intelligence Center (ASEC) recently identified a change in the Kimsuky group’s method of distributing malicious LNK files. The overall attack flow remains the same as before, with a malicious LNK ultimately executing a Python-based backdoor or downloader. However, a structural change was observed in the intermediate execution phase.
| Category | Previous Distribution Method | Recent Distribution Method |
|---|---|---|
| Initial execution | LNK → PowerShell → BAT | LNK → PowerShell → Generate decoy-XML-PS1-VBS |
| Intermediate stage | Run BAT alone | XML → VBS → PS1 → BAT |
| File download | Download ZIP, decoy file | Download ZIP file |
| ZIP file structure | Python script, Python interpreter, XML scheduler files | Python script, Python interpreter, XML scheduler files |
| Final execution | Execute a Python script by XML → Download and execute a …
Overview
AhnLab SEcurity intelligence Center (ASEC) recently identified a change in the Kimsuky group’s method of distributing malicious LNK files. The overall attack flow remains the same as before, with a malicious LNK ultimately executing a Python-based backdoor or downloader. However, a structural change was observed in the intermediate execution phase.
| Category | Previous Distribution Method | Recent Distribution Method |
|---|---|---|
| Initial execution | LNK → PowerShell → BAT | LNK → PowerShell → Generate decoy-XML-PS1-VBS |
| Intermediate stage | Run BAT alone | XML → VBS → PS1 → BAT |
| File download | Download ZIP, decoy file | Download ZIP file |
| ZIP file structure | Python script, Python interpreter, XML scheduler files | Python script, Python interpreter, XML scheduler files |
| Final execution | Execute a Python script by XML → Download and execute a …
IoC
https://qugesr.online/m/bDw
https://quickcon.store/man/logo.php?au=beauty.part001
https://qugesr.online/dwparts_view/view.php?in=comm.part000
https://qugesr.online/dwparts_view/view.php?in=normal
https://qugesr.online/dwparts_view/view.php?in=comm.part001
https://quickcon.store/man/logo.php?au=beauty.part000
http://45.95.186.232:8080
https://asec.ahnlab.com/en/88465/
45.95.186.232
https://quickcon.store/man/logo.php?au=beauty.part001
https://qugesr.online/dwparts_view/view.php?in=comm.part000
https://qugesr.online/dwparts_view/view.php?in=normal
https://qugesr.online/dwparts_view/view.php?in=comm.part001
https://quickcon.store/man/logo.php?au=beauty.part000
http://45.95.186.232:8080
https://asec.ahnlab.com/en/88465/
45.95.186.232