Everyday is lazarus.dayβ

Kimsucky Apt Analysis

2024-03-02, somedieyoungZZ


Kimsucky Apt Analysis
Kimsuky APT (also known as Thallium, Baby Coin, Smoke Screen) is a North Korean cyber-espionage actor involved in attacks targeting South Korean think tanks, Academia/Research , Government entities and Private companies since 2012. The group conducts cyber espionage operations to target government entities mainly in South Korea. Kimsuky like many other APTs deploys various methods of initial infection and today we are going to be looking into one of the sample which is using powershell to infect to the victim.
Like every malicious word file it tries to use social engineering to make the target click on the “ enable content ” to execute the malicious code of the macro. After enabling the macro, the content of the document changes and after searching the text it seems like an attack on South Korean news channel.
Let’s dive into the analysis of the macro using the tools called Oletools.
Ole Analysis
Enable MacrosUsing …