Description
This analysis details a sophisticated cyber attack attributed to the North Korean-linked Kimsuky APT group. The attack begins with an LNK file, leading to the execution of obfuscated VBS scripts. These scripts create scheduled tasks, modify registry keys for persistence, and establish communication with a command and control (C2) server. The malware employs various evasion techniques, including Base64 encoding and Caesar Cipher obfuscation. The ultimate goal appears to be maintaining long-term access to the victim's machine for espionage activities. The report also includes a personal anecdote of the analyst's brief interaction with the C2 server, receiving a single command after hours of waiting.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 20, 2024, 11:39 a.m. | Sept. 20, 2024, 11:39 a.m. | Sept. 20, 2024, 12:06 p.m. |
Indicators
41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229
64.49.14.181
Attack Patterns
Kimsuky
T1132.001
T1553.002
T1053.005
T1573.001
T1059.005
T1497.001
T1059.003
T1059.001
T1547.001
T1497
T1071.001
T1016
T1082
T1057
T1083
T1036
T1140
T1033
T1027
T1112