Unmasking Kimsuky's Latest Tactics: A Deep Dive into Malicious Scripts and Payloads
Summary:
A recent analysis by K7 Labs has uncovered a new campaign attributed to the North Korean APT group Kimsuky, also known as "Black Banshee." The analysis details the group's latest infection chain, which involves the use of malicious VBScript and PowerShell scripts along with encoded text files to deliver and execute payloads. The initial indicators of compromise (IOCs) for this attack were shared via a tweet, pointing to a ZIP file containing the malicious payloads. The infection chain begins with a ZIP file containing these components. In the VBScript file, the obfuscated script uses the "chr" and "CLng" functions to dynamically generate characters and execute commands. This obfuscation technique helps the script bypass signature-based detection methods, ensuring that it remains hidden during execution. This script executed a command at the end of runtime that likely runs the PowerShell script, which gathers the system's BIOS serial number for a unique identifier in directory creation and checks if it is running in a VM to evade analysis by aborting execution. The PowerShell script contains 11 functions designed for data exfiltration, cryptocurrency information theft, and C2 communication, including the capability to upload large files and extract user profile data such as cookies, login info, bookmarks, and web data. The "work" function handles the execution of C2 commands. Another decoded text file, “2.log”, reveals a keylogging script with clipboard monitoring and window title logging capabilities.
Security Officer Comments:
The latest findings from K7 Labs regarding Kimsuky's activities underscore the adaptive nature of Kimsuky and their goal of establishing persistence likely for further data exfiltration. Their continued targeting of South Korea, Japan, and the US, coupled with their evolving technical sophistication, signifies the danger of this threat group. The use of obfuscated scripts and encoded payloads demonstrates a clear effort to bypass traditional security measures, necessitating more advanced behavioral analysis and threat intelligence solutions to identify and mitigate these attacks. The malware's specific functionalities, such as BIOS serial number collection for staging with a unique identifier and VMware environment checks for evasion, highlight their calculated approach. The focus on data exfiltration, cryptocurrency theft, and the detailed browser data harvesting capabilities indicate the potential for significant financial gain and intelligence gathering, aligning with the usual goals of the North Korean Regime. The inclusion of a keylogger further emphasizes the group's intent to gain comprehensive access to compromised systems and monitor user activities. The "time consuming, interlinked multi component-based" techniques observed by K7 Labs suggest a well-resourced and methodical adversary, emphasizing their state-sponsored nature and the need for organizations to maintain proactive threat hunting capabilities to effectively counter similarly-sophisticated campaigns. The campaign highlights Kimsuky's continued use of complex, multi-stage techniques aimed at evading detection and likely geared toward performing network reconnaissance tasks, as evidenced by this campaign’s focus on network-related information.
Suggested Corrections:
IOCs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://securityonline.info/unmasking-kimsukys-latest-tactics-a-deep-dive-into-malicious-scripts-and-payloads/
https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/
A recent analysis by K7 Labs has uncovered a new campaign attributed to the North Korean APT group Kimsuky, also known as "Black Banshee." The analysis details the group's latest infection chain, which involves the use of malicious VBScript and PowerShell scripts along with encoded text files to deliver and execute payloads. The initial indicators of compromise (IOCs) for this attack were shared via a tweet, pointing to a ZIP file containing the malicious payloads. The infection chain begins with a ZIP file containing these components. In the VBScript file, the obfuscated script uses the "chr" and "CLng" functions to dynamically generate characters and execute commands. This obfuscation technique helps the script bypass signature-based detection methods, ensuring that it remains hidden during execution. This script executed a command at the end of runtime that likely runs the PowerShell script, which gathers the system's BIOS serial number for a unique identifier in directory creation and checks if it is running in a VM to evade analysis by aborting execution. The PowerShell script contains 11 functions designed for data exfiltration, cryptocurrency information theft, and C2 communication, including the capability to upload large files and extract user profile data such as cookies, login info, bookmarks, and web data. The "work" function handles the execution of C2 commands. Another decoded text file, “2.log”, reveals a keylogging script with clipboard monitoring and window title logging capabilities.
Security Officer Comments:
The latest findings from K7 Labs regarding Kimsuky's activities underscore the adaptive nature of Kimsuky and their goal of establishing persistence likely for further data exfiltration. Their continued targeting of South Korea, Japan, and the US, coupled with their evolving technical sophistication, signifies the danger of this threat group. The use of obfuscated scripts and encoded payloads demonstrates a clear effort to bypass traditional security measures, necessitating more advanced behavioral analysis and threat intelligence solutions to identify and mitigate these attacks. The malware's specific functionalities, such as BIOS serial number collection for staging with a unique identifier and VMware environment checks for evasion, highlight their calculated approach. The focus on data exfiltration, cryptocurrency theft, and the detailed browser data harvesting capabilities indicate the potential for significant financial gain and intelligence gathering, aligning with the usual goals of the North Korean Regime. The inclusion of a keylogger further emphasizes the group's intent to gain comprehensive access to compromised systems and monitor user activities. The "time consuming, interlinked multi component-based" techniques observed by K7 Labs suggest a well-resourced and methodical adversary, emphasizing their state-sponsored nature and the need for organizations to maintain proactive threat hunting capabilities to effectively counter similarly-sophisticated campaigns. The campaign highlights Kimsuky's continued use of complex, multi-stage techniques aimed at evading detection and likely geared toward performing network reconnaissance tasks, as evidenced by this campaign’s focus on network-related information.
Suggested Corrections:
IOCs are available here.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://securityonline.info/unmasking-kimsukys-latest-tactics-a-deep-dive-into-malicious-scripts-and-payloads/
https://labs.k7computing.com/index.php/inside-kimsukys-latest-cyberattack-analyzing-malicious-scripts-and-payloads/