A sophisticated cyberattack campaign attributed to the North Korean Advanced Persistent Threat (APT) group Kimsuky has been observed utilizing new tactics and malicious scripts.
The attack revolves around a ZIP file containing multiple components designed to steal sensitive information from targeted systems while maintaining stealth.
The attack chain begins with obfuscated scripts that eventually deploy a keylogger and cryptocurrency information stealer.
.png
)
The attack’s initial payload consists of four files: a heavily obfuscated VBScript (1.vbs), a PowerShell script (1.ps1), and two encoded text files (1.log and 2.log) that contain the actual malware components.
.webp)
These files work in concert to establish persistence, evade detection, and exfiltrate sensitive information to a command-and-control server at “hxxp://srvdown[.]ddns.net/service3/”.
K7 Security Labs researchers identified that the VBScript employs sophisticated obfuscation techniques, using the chr() and CLng() functions to dynamically generate characters and execute commands.
This technique helps the script bypass signature-based detection methods while it prepares to execute the PowerShell component.
Malware execution
Upon execution, the malware collects the BIOS serial number of the compromised system and creates a dedicated directory within the system’s temp folder.
Interestingly, the malware checks if it’s running in a VMware environment and terminates execution if detected, demonstrating its anti-analysis capabilities.
if($id -like "*VMware*") {
Remove-Item -Path "$localPath\pipe\2.log" -Force
Remove-Item -Path "$localPath\pipe\1.ps1" -Force
Remove-Item -Path "$localPath\pipe\1.log" -Force
Remove-Item -Path "$localPath\pipe\l.vbs" -Force
Exit
}The infection mechanism involves multiple specialized functions to perform a variety of malicious activities.
The malware targets browser data from Edge, Firefox, Chrome, and Naver Whale, specifically hunting for cryptocurrency wallets.
It creates persistence through task scheduling and continuously monitors keystrokes and clipboard content to capture sensitive information like passwords and crypto keys.
The keylogger component captures special keys and window titles, providing attackers with contextual information about the victim’s activities.
All collected data is periodically exfiltrated to the attacker’s server, allowing the Kimsuky operators to maintain surveillance over their targets while stealing valuable credentials and cryptocurrency assets.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
