Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics

Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics

Contents

  • Introduction
  • Infection Chain
  • Initial Findings
  • Campaign 1
    • Looking into PDF document.
  • Campaign 2
    • Looking into PDF document.
  • Technical Analysis
    • Campaign 1 & 2
  • Conclusion
  • Seqrite Protection
  • MITRE ATT&CK
  • IOCs

Introduction:

Security researchers at Seqrite Labs have recently uncovered two distinct campaigns carried out by the APT group “Kimsuky,” also known as “Black Banshee.” This group has been actively targeting South Korea using evolving tactics. In these campaigns, the threat actors delivered two South Korean government-themed documents as lures, specifically targeting government entities within South Korea.

In this blog, we will delve into the technical details of the campaigns uncovered during our analysis. We will examine the various stages of infection, starting with a phishing email containing an LNK (shortcut) file attachment. The LNK file was designed to drop an obfuscated VBA (Visual Basic for Applications) script, After de-obfuscating the script, we found that it was responsible for dropping two additional files: One Pdf file and One ZIP file The ZIP file contained four malicious files: two log files (1.log and 2.log), one VBA script (1.vba), and one PowerShell script (1.ps1). Both campaigns involved the same set of malicious files.

Infection Chain:

Fig .1 infection chain

Initial Findings:

Campaign-1:

In the first campaign, we identified a document related to tax reduction and tax payment related to revenue, which contained the same malicious LNK attachment. This attachment subsequently deployed a malicious VBScript, facilitating further compromise.

 

Fig .2 Revanue.pdf file

 

Based on our initial findings, we discovered that the adversary utilized a different document containing the same LNK file content.

Campaign-2:

In campaign-2, it has come to our attention that South Korea has enacted a new policy aimed at preventing recidivism among sex offenders. The initiative involves circulating a detailed document outlining the regulations, which was shared with households, daycare centers, kindergartens, and various local administrative offices, including township and village authorities, as well as neighbourhood community centres. However, hackers, including cyber-criminals, are exploiting this dissemination process by sending deceptive emails containing harmful attachments. These emails are targeting residential recipients and key personnel at local offices.

 

Fig .3 Sex Offender Personal Information Notification.pdf

 

The adversaries have exploited the distribution of this information and document by circulating it via email, disguised under the filename 성범죄자 신상정보 고지.pdf.lnk (Sex Offender Personal Information Notification.pdf.lnk). This attachment contains a malicious LNK file, which poses a cybersecurity threat to the recipients.

 

Technical Analysis and Methodology:

Campaign 1 & 2:

We have downloaded the file named 28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1.lnk from campaign-1 and “성범죄자 신상정보 고지.pdf.lnk” from campaign-2 (Sex Offender Personal Information Notification.pdf.lnk) that was shared via email. During the analysis of this LNK file, it appears to be fetching additional files from an external C2 server, as shown in the snapshot below.

Fig.4 Downloading VBScript from C2 (Campaign –1)

 

Fig .5 Downloading VBScript From C2 (Campaign -2)

The file was downloaded from the URL provided above and saved into the Temp folder, as indicated below.

Fig .6 downloaded into Temp Folder (Campaign-1)

 

Fig .7 downloaded into Temp Folder (Campaign-2)

The file downloaded from the C2 server appears to be an obfuscated VBScript. Upon DE obfuscating the script, we discovered two additional files: one PDF and one ZIP file.

Fig .8 Obfuscated VB Script

The first section of the file is encoded in Base64 strings.

Fig .9 Base64 Encoded PDF

After Decoding we have found one PDF file.

 

Fig .10 PDF after Decoding

 

The second part of the VBScript is also encoded in Base64. After decoding it, we discovered a ZIP file.

Fig .11 Zip File

 

Fig. 12 Detect It Easy

Zip files contain the below numbers of files in it.

Fig .13 Inside Zip File

Within the ZIP archive, four files were identified: a VBScript, a PowerShell script, and two Base64-encoded text files. These encoded text files house obfuscated data, which, upon further dissection, may yield critical intelligence regarding the malware’s functionality and objectives. The following figures illustrate the encoded content of the two text files, which will be subsequently decoded and analysed to elucidate the next phase in the attack chain.

Fig. 14- 1 Log.txt file with Base64 encoding

 

Fig.15 – 2 Log .txt file with Base64 encoding

The 1.vbs file employs advanced obfuscation techniques, utilizing the chr() and CLng() functions to dynamically construct characters and invoke commands at runtime. This strategy effectively circumvents signature-based detection mechanisms, allowing the script to evade detection during execution.

Upon script termination, the concatenated characters form a complete command, which is subsequently executed. This command is likely designed to invoke the 1.ps1 PowerShell script, passing 1.log as an argument for further processing.

Fig .16 – 1.vbs

Upon attempting to DE-obfuscate the VBScript, we uncovered the following command-line execution, which subsequently triggers the PowerShell script for further processing.

Fig .17  De-Obfuscated VB Script

Upon executing the 1.vbs file, it triggered the invocation of the 1.ps1 file, as illustrated in the snapshot below.

Fig .18 Executing 1.VBS

The 1.ps1 script includes a function designed to decode Base64-encoded data from the 1.log file and execute the resulting script.

Fig.19 – 1.ps1 file

 

Fig.20 – 1 Log.txt after decoding

The 1.ps1 script retrieves the BIOS serial number, a unique system identifier, from the compromised host. This serial number is subsequently used to create a dedicated directory within the system’s temporary folder, ensuring that attack-related files are stored in a location specific to the compromised machine, as shown in above snapshot.

As a VM-aware sample, the script checks if it is executing within a virtual machine environment. If it detects a virtual machine, it will delete all four files associated with the attack (1.vbs, 1.ps1, 1.log, and any payload files stored in the directory named after the serial number), effectively halting its execution, as illustrated.

The script encompasses 11 functions that define the subsequent phases of the malware’s operation, which include data exfiltration, cryptocurrency wallet information theft, and the establishment of Command-and-Control (C2) communications. These functions are integral to the attack’s execution, facilitating the malware’s objectives and ensuring persistent communication with the threat actor.

List of malicious function retrieved from 1 log file:

  1. UploadFile ():

The upload function exfiltrates data by transmitting it to the server in 1MB chunks, allowing it to handle large file sizes efficiently. The script awaits a response from the server, and if it receives an HTTP status code of “200,” it proceeds with further execution. If the response differs, the script terminates its operation. Each chunk is sent via an HTTP POST request, with the function verifying the success of each upload iteration before continuing.

Fig .21 UploadFile()

 

  1. GetExWFile ():

The GetExWFile function iterates through a set of predefined hash tables containing cryptocurrency wallet extensions. When a match is found, it identifies the associated”.ldb” and ”.log” files linked to those extensions for exfiltration. These files are subsequently transferred to the specified destination folder, as indicated by the $Storepath variable.

Fig.22 GetExWFile ()
  1. GetBrowserData ():

The script checks whether any of the following browsers—Edge, Firefox, Chrome, or Naver Whale—are actively running, to extract user profile data, including cookies, login credentials, bookmarks, and web data. Prior to collecting this information, the script terminates the browser processes to ensure uninterrupted access. It then proceeds to retrieve data on installed extensions and cache files, such as webcacheV01.dat, for each identified browser. For certain browsers, it also performs decryption operations to unlock encrypted keys, allowing it to extract sensitive information, which is then stored alongside the decrypted master encryption key.

Fig.23 BrowserData ()
  1. Download file () :

The download file function downloads any file based on the C2 command.

Fig.24 Download File ()
  1. RegisterTask () :

It creates persistence for the files “1.log” and “1.vbs”.

Fig.25 RegisterTask()
  1. Send ():

The send () function uploads all the collected information to the server after compressing the data into a ZIP file named “init.zip”. It then renames the ZIP file to “init.dat” and deletes all backup files from the system after uploading.

Fig.26 Send ()

The execution flow of the functions follows a sequence where several actions are carried out within the attack. Among these functions, one triggers another PowerShell command that calls the 2.log file, which is responsible for performing keylogging activities.

 

Fig. 27 Flow of execution of functions and command to execute “2.log”.
Fig.28 Executing 2 log file

 

Fig.29 Inside 2 log file

 

The decoded content of the 2.log file is shown above. It contains a script that imports essential Windows API functions for detecting key presses, retrieving window titles, and managing keyboard states. The script executes actions such as clipboard monitoring, keystroke logging, and recording window titles.

Fig. 30.2 Code for clipboard monitoring.

Conclusion

As observed, threat actors are utilizing time-consuming, multi-component techniques that are interlinked to enhance their evasiveness. Unlike other stealers, this one primarily focuses on network-related information, which could be leveraged for active reconnaissance. Given that the stealer targets sensitive user data, it is crucial to protect yourself with a reputable security solution such as Seqrite Antivirus in today’s digital landscape. At Seqrite Lab, we provide detection capabilities for such stealers at various stages of infection, along with protection against the latest threats.

Seqrite Protection:

  • Trojan.49424.SL
  • Trojan.49422.C

 

MITRE ATT&CK:

Initial Access T1566.001 Phishing: Spearphishing Attachment
Execution T1059.001

 

T1059.005

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Visual Basic

Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Credential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers
Discovery T1082 System Information Discovery
Collection T1056.001 Input Capture: Keylogging
Command and Control T1071.001 Application Layer Protocol: Web Protocols
Exfiltration T1041 Exfiltration Over C2 Channel

IoCs:

MD5  File Name
1119A977A925CA17B554DCED2CBABD8  *.lnk
64677CAE14A2EC4D393A81548417B61B  1.log
F0F63808E17994E91FD397E3A54A80CB  2.log
A3353EA094F45915408065D03AE157C4  prevenue.hta
CE4549607E46E656D8E019624D5036C1  1.vbs
1B90EFF0B4F54DA72B19195489C3AF6C  *.lnk
1D64508B384E928046887DD9CB32C2AC 성범죄자 신상정보 고지.pdf.lnk

C2

  • hxxps[:]//cdn[.]glitch[.]global/
  • hxxp[:]//srvdown[.]ddns.net

 

 

 

 

 

 

 

 

 

 

The post Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.