Kimsuky Hackers Attacking Organizations Using Weaponized EXE & DOCX Files

Hackers often use EXE and DOCX file formats is due to they are among the most commonly used types of files that can be easily disguised as legitimate.

EXE files can be used to deliver various forms of malware, such as ransomware and Trojans, which give attackers full control over the system they have hacked.

EHA

On the other hand, the DOCX File format is commonly used by attackers when delivering malicious macros that take advantage of vulnerabilities existing in Microsoft Office software.

The two file types are often used to entice users into opening them, allowing malware to infiltrate their systems.

Cybersecurity researchers at JPCert recently discovered that Kimsuky hackers have been attacking organizations using EXE and DOCX files.

Kimsuky Hackers Attacking Organizations

The Kimsuky group hackers targeted Japanese organizations in a campaign identified by JPCERT/CC in March 2024.

The attackers used zip file attachments of double extension files disguised as communications from security and diplomatic entities through phishing emails.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

These files, which had been renamed using lots of spaces to hide their actual extensions, would infect a victim’s computer if the person opened the main EXE file.

Here below, we have mentioned the files with their formats, but all the file names were omitted:-

  • [omitted].docx[a large number of spaces].exe
  • [omitted].docx[a large number of spaces].docx
  • [omitted].docx[a large number of spaces].docx

This sophisticated approach highlights how threat actors are progressively using new techniques to infiltrate organizational networks and overcome security measures.

Flow after the EXE file is executed (Source – JPCert)

When this malicious EXE file is executed, it takes effect and starts a cyclical infection. It downloads and then runs a VBS file that fetches and then runs an externally done PowerShell script.

The same VBS file also causes the persistence by configuring the registry Run key in order to make the hidden file to run automatically each time on system startup.

Using various scripting languages, the threat actors use this advanced method to maintain their hold on the exploited system through system manipulation.

The downloaded PowerShell script collects system data, process lists, network details, specific user folder contents, and account information.

This collected data is sent to a predefined URL to determine if the execution environment is a sandbox or analysis system.

Then, the script creates another VBS file in a public directory and runs it, which downloads more PowerShell code and calls an InfoKey function with certain parameters.

By doing so, the attacker attempts to avoid detection and ensure that the threat actor remains on the affected computer for an extensive period.

The attack chain incorporates an EXE file that downloads and then runs VBS or PowerShell scripts, followed by a keylogger.

This kind of keylogger records all keystrokes and clipboard data before sending them to remote servers and storing them locally.

The group’s changing strategies, such as CHM format malware, indicate the increasing importance of countering advanced persistent threats (APTs).

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.