Kimsucky Apt Analysis
Contents
Kimsucky Apt Analysis
Introduction
Kimsuky APT (also known as Thallium, Baby Coin, Smoke Screen) is a North Korean cyber-espionage actor involved in attacks targeting South Korean think tanks, Academia/Research , Government entities and Private companies since 2012. The group conducts cyber espionage operations to target government entities mainly in South Korea. Kimsuky like many other APTs deploys various methods of initial infection and today we are going to be looking into one of the sample which is using powershell to infect to the victim.
Like every malicious word file it tries to use social engineering to make the target click on the “ enable content ” to execute the malicious code of the macro. After enabling the macro, the content of the document changes and after searching the text it seems like an attack on South Korean news channel.
Let’s dive into the analysis of the macro using the tools called Oletools.
Ole Analysis
Enable MacrosUsing …
Introduction
Kimsuky APT (also known as Thallium, Baby Coin, Smoke Screen) is a North Korean cyber-espionage actor involved in attacks targeting South Korean think tanks, Academia/Research , Government entities and Private companies since 2012. The group conducts cyber espionage operations to target government entities mainly in South Korea. Kimsuky like many other APTs deploys various methods of initial infection and today we are going to be looking into one of the sample which is using powershell to infect to the victim.
Like every malicious word file it tries to use social engineering to make the target click on the “ enable content ” to execute the malicious code of the macro. After enabling the macro, the content of the document changes and after searching the text it seems like an attack on South Korean news channel.
Let’s dive into the analysis of the macro using the tools called Oletools.
Ole Analysis
Enable MacrosUsing …
IoC
07d0be79be38ecb8c7b1c80ab0bd8344
185.176.43.82
1fcd9892532813a27537f4e1a1c21ec0c110d6b3929602750ed77bbba7caa426
http://mybobo.mygamesonline.org/flower01/](http://mybobo.mygamesonline.org/flower01/
http://mybobo.mygamesonline.org/flower01/flower01.ps1
http://mybobo.mygamesonline.org/flower01/flower01.ps1'](http://mybobo.mygamesonline.org/flower01/flower01.ps1
185.176.43.82
1fcd9892532813a27537f4e1a1c21ec0c110d6b3929602750ed77bbba7caa426
http://mybobo.mygamesonline.org/flower01/](http://mybobo.mygamesonline.org/flower01/
http://mybobo.mygamesonline.org/flower01/flower01.ps1
http://mybobo.mygamesonline.org/flower01/flower01.ps1'](http://mybobo.mygamesonline.org/flower01/flower01.ps1