Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns
The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,” has been active since at least 2012, targeting nations like South Korea, Japan, and the United States with sophisticated cyber espionage campaigns.
Recently, new Indicators of Compromise (IOCs) shared via a tweet revealed a ZIP file containing malicious payloads, exposing the group’s latest attack vector.
Detailed analysis of the infection chain showcases an intricate blend of phishing, malware deployment, and obfuscation techniques designed to evade detection and penetrate sensitive systems.
This discovery highlights Kimsuky’s relentless focus on data exfiltration and reconnaissance, employing a multi-stage attack framework that leverages legitimate system processes to execute their malicious objectives.
Advanced Tactics in Cyber Espionage Uncovered
The ZIP file at the heart of this campaign contained four critical components: a VBScript (1.vbs), a PowerShell script (1.ps1), and two encoded text files (1.log and 2.log).
The VBScript employs heavy obfuscation using functions like chr() and CLng() to dynamically generate and execute commands, effectively bypassing signature-based antivirus detection.
Upon deobfuscation, it triggers the PowerShell script, passing the encoded 1.log file as an argument.
The PowerShell script decodes base64-encoded data from 1.log, collects unique system identifiers like the BIOS serial number, and creates a machine-specific directory in the temp folder to store attack files.
Notably, the script includes a self-destruct mechanism for VMware environments, deleting all related files to avoid analysis in virtualized sandboxes.
Dissecting the Multi-Layered Attack Chain
Further examination reveals 11 distinct functions within the malware, ranging from data exfiltration (UploadFile), browser data theft (GetBrowserData targeting Edge, Chrome, Firefox, and Naver Whale), and cryptocurrency wallet extension harvesting (GetExWFile) to command-and-control (C2) communications (Work function).
These functions enable the malware to steal sensitive information like cookies, login credentials, and hardware details, compress them into ZIP files, and upload them to remote servers.
Additionally, the decoded 2.log file facilitates keylogging, clipboard monitoring, and window title logging, underscoring the stealer’s invasive capabilities.
Kimsuky’s focus on network-related data suggests active reconnaissance for future exploits, with persistence mechanisms like task registration ensuring long-term access to compromised systems.
This campaign reflects a time-intensive, multi-component strategy that interlinks various scripts and payloads to maximize evasion and impact, posing a significant threat to individual and organizational security.
As threat actors like Kimsuky continue to refine their techniques, deploying reputable security solutions becomes paramount.
Tools like K7 Antivirus, backed by K7 Labs’ proactive detection at various infection stages, are essential to counter such sophisticated stealers and safeguard sensitive data against evolving cyber threats.
Indicators of Compromise (IOCs)
| Name | Hash | Detection Name |
|---|---|---|
| 1.vbs | CE4549607E46E656D8E019624D5036C1 | Trojan (0001140e1) |
| 1.ps1 | 1119A977A925CA17B554DCED2CBABD85 | Trojan (0001140e1) |
| 1.log | 64677CAE14A2EC4D393A81548417B61B | Trojan (0001140e1) |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
Source link
