Kimsuky targets organizations with PebbleDash-based tools

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – Initial access was achieved by sending malicious attachments disguised as documents (‘delivering spear-phishing emails containing malicious attachments disguised as documents’).
• [T1598 ] Phishing for Information – Targets were also contacted via messengers to lure them into opening malicious content (‘they also contact targets via messengers in some cases’).
• [T1059.007 ] JavaScript – JSE droppers were used to decode and launch embedded payloads (‘JSE droppers contain a minimum of two Base64-encoded blobs’).
• [T1027 ] Obfuscated Files or Information – Droppers hid payloads with Base64, XOR, dummy data, and encrypted strings (‘fully obfuscated using dummy data and encrypted strings’).
• [T1204.002 ] Malicious File – Malicious attachments were crafted to look like legitimate documents, installers, and photos (‘disguised as documents’, ‘product quotations, job offers, information guides’).
• [T1059.001 ] PowerShell – PowerShell was used to decode content and gather system details (‘powershell.exe -windowstyle hidden certutil -decode’).
• [T1140 ] Deobfuscate/Decode Files or Information – Base64, RC4, ChaCha20, and XOR were used to decode or decrypt payloads (‘Base64-decoded and then decrypted using RC4’).
• [T1105 ] Ingress Tool Transfer – Payloads and tools such as VSCode CLI and DWAgent were downloaded from remote servers (‘downloads a legitimate Visual Studio Code (VSCode) CLI onto the infected device’).
• [T1053.005 ] Scheduled Task – MemLoad created scheduled tasks for persistence (‘schtasks /create /tn /tr “regsvr32 /s “‘).
• [T1547.001 ] Registry Run Keys / Startup Folder – Persistence was established by adding values under Run keys (‘registering itself to the HKCUSoftwareMicrosoftWindowsCurrentVersionRun key’).
• [T1543.003 ] Windows Service – httpMalice created a service named CacheDB for persistence (‘creating a service named CacheDB’).
• [T1218.010 ] Regsvr32 – Multiple droppers and implants executed code through regsvr32 (‘execute the malware using regsvr32.exe’).
• [T1059.003 ] Windows Command Shell – Commands were executed through cmd.exe with redirected output (‘execute the provided command using chcp 65001 > nul & cmd /U /C [command]’).
• [T1106 ] Native API – httpMalice and other implants used Windows-native behaviors and services to run commands and manage persistence (‘If elevated, a service named CacheDB is created’).
• [T1021.005 ] Remote Services: VNC – VSCode tunneling and DWAgent enabled remote interactive access to infected hosts (‘establish covert remote access to the victim’s device’).
• [T1090 ] Proxy – Cloudflare Quick Tunnels, VSCode Tunneling, and Ngrok were used to conceal infrastructure (‘actively leverage tunneling services’).
• [T1071.001 ] Web Protocols – C2 traffic used HTTP/HTTPS and POST requests (‘communicates with the C2 server over the HTTP protocol’).
• [T1005 ] Data from Local System – AppleSeed collected documents, screenshots, keystrokes, and USB drive lists (‘gathers sensitive information such as documents, screenshots, keystrokes’).
• [T1057 ] Process Discovery – The malware collected process and execution context details such as current directory and privilege level (‘gathers critical information from the compromised system’).
• [T1082 ] System Information Discovery – Host profiling included MAC address, computer name, volume serial number, IP address, and token status (‘collecting device information, such as the MAC address, computer name’).
• [T1113 ] Screen Capture – httpMalice captured screenshots and sent them to C2 (‘Capture the screen’).
• [T1041 ] Exfiltration Over C2 Channel – Stolen data and screenshots were sent back through the command channel (‘Send the captured screenshot’).
• [T1102.001 ] Web Service: Web Service – VSCode tunnel URLs were sent to external services and Slack webhooks (‘sent to a Slack channel via a WebHook’).