North Korean Kimsuky Hackers New Tactics & Malicious Scripts in Latest Attacks

A sophisticated cyberattack campaign attributed to the North Korean Advanced Persistent Threat (APT) group Kimsuky has been observed utilizing new tactics and malicious scripts.

The attack revolves around a ZIP file containing multiple components designed to steal sensitive information from targeted systems while maintaining stealth.

The attack chain begins with obfuscated scripts that eventually deploy a keylogger and cryptocurrency information stealer.

The attack’s initial payload consists of four files: a heavily obfuscated VBScript (1.vbs), a PowerShell script (1.ps1), and two encoded text files (1.log and 2.log) that contain the actual malware components.

Deobfuscated command to run “1.ps1” (Source – K7 Security Labs)

These files work in concert to establish persistence, evade detection, and exfiltrate sensitive information to a command-and-control server at “hxxp://srvdown[.]ddns.net/service3/”.

K7 Security Labs researchers identified that the VBScript employs sophisticated obfuscation techniques, using the chr() and CLng() functions to dynamically generate characters and execute commands.

This technique helps the script bypass signature-based detection methods while it prepares to execute the PowerShell component.

Malware execution

Upon execution, the malware collects the BIOS serial number of the compromised system and creates a dedicated directory within the system’s temp folder.

Interestingly, the malware checks if it’s running in a VMware environment and terminates execution if detected, demonstrating its anti-analysis capabilities.

if($id -like "*VMware*") {
    Remove-Item -Path "$localPath\pipe\2.log" -Force
    Remove-Item -Path "$localPath\pipe\1.ps1" -Force
    Remove-Item -Path "$localPath\pipe\1.log" -Force
    Remove-Item -Path "$localPath\pipe\l.vbs" -Force
    Exit
}

The infection mechanism involves multiple specialized functions to perform a variety of malicious activities.

The malware targets browser data from Edge, Firefox, Chrome, and Naver Whale, specifically hunting for cryptocurrency wallets.

It creates persistence through task scheduling and continuously monitors keystrokes and clipboard content to capture sensitive information like passwords and crypto keys.

The keylogger component captures special keys and window titles, providing attackers with contextual information about the victim’s activities.

All collected data is periodically exfiltrated to the attacker’s server, allowing the Kimsuky operators to maintain surveillance over their targets while stealing valuable credentials and cryptocurrency assets.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.