The North Korean nation-state APT43 Kimsuky used the PowerShell forceCopy to conduct spear-phishing analysis
Contents
The North Korean nation-state APT43 Kimsuky used the PowerShell forceCopy to conduct spear-phishing analysis
Summary
From the AhnLab SEcurity intelligence
Center (ASEC) I noted that Theft of Web Browser Information (forceCopy)
which malware are PowerShell scripts, and I have collected three malwares, they
have similar design, I choose one of them to analysis. The design of the
PowerShell script used by obfuscation technology from Kimsuky is worthy of more
attention, especially nowadays as AI is developing fast; it makes malware
makers and analysts more easily able to do their jobs.
Technical analysis
This
forceCopy is the PowerShell
(executable).
The
hash MD5: 1e9d94d88fdac3c4a0a47a3a1d07e329
The source code is difficult to read, so I did it manually and made it easy to read. These codes are a small part of them.
1. It defines a function (stored in the variable $mqtz60
) that takes an array of strings ($vvv32
) as input;
2. For each string in the array, it decodes the string from Base64, converts the resulting byte array to a …
Summary
From the AhnLab SEcurity intelligence
Center (ASEC) I noted that Theft of Web Browser Information (forceCopy)
which malware are PowerShell scripts, and I have collected three malwares, they
have similar design, I choose one of them to analysis. The design of the
PowerShell script used by obfuscation technology from Kimsuky is worthy of more
attention, especially nowadays as AI is developing fast; it makes malware
makers and analysts more easily able to do their jobs.
Technical analysis
This
forceCopy is the PowerShell
(executable).
The
hash MD5: 1e9d94d88fdac3c4a0a47a3a1d07e329
The source code is difficult to read, so I did it manually and made it easy to read. These codes are a small part of them.
1. It defines a function (stored in the variable $mqtz60
) that takes an array of strings ($vvv32
) as input;
2. For each string in the array, it decodes the string from Base64, converts the resulting byte array to a …
IoC
1e9d94d88fdac3c4a0a47a3a1d07e329