Today > 2 Critical | 3 High | 25 Medium vulnerabilities   -   You can now download lists of IOCs here!

Kimsuky: A Gift That Keeps on Giving

Sept. 20, 2024, 12:06 p.m.

Tags
espionage
north korea
kimsuky
2024-09-20
External References
Description

This analysis details a sophisticated cyber attack attributed to the North Korean-linked Kimsuky APT group. The attack begins with an LNK file, leading to the execution of obfuscated VBS scripts. These scripts create scheduled tasks, modify registry keys for persistence, and establish communication with a command and control (C2) server. The malware employs various evasion techniques, including Base64 encoding and Caesar Cipher obfuscation. The ultimate goal appears to be maintaining long-term access to the victim's machine for espionage activities. The report also includes a personal anecdote of the analyst's brief interaction with the C2 server, receiving a single command after hours of waiting.

Date

Published: Sept. 20, 2024, 11:39 a.m.

Created: Sept. 20, 2024, 11:39 a.m.

Modified: Sept. 20, 2024, 12:06 p.m.

Indicators

41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229

64.49.14.181

Download all indicators here!

Attack Patterns

Kimsuky

T1132.001

T1553.002

T1053.005

T1573.001

T1059.005

T1497.001

T1059.003

T1059.001

T1547.001

T1497

T1071.001

T1016

T1082

T1057

T1083

T1036

T1140

T1033

T1027

T1112