The Kimsuky group conducted a phishing attack disguising as a paper review request, delivering a password-protected HWP document containing malicious OLE objects that executed multiple payload files and scheduled tasks. The attack employed a combination of PowerShell scripts, scheduled execution, and manipulation of AnyDesk remote access software to maintain persistence and evade detection. #Kimsuky #AnyDesk #ASEC
Keypoints
- The phishing email impersonated a professor’s paper review request and included a password-protected HWP file with a malicious OLE object.
- Opening the document generated six malicious files in the %TEMP% folder, including executables, PowerShell scripts, configuration files, and a batch script.
- The batch file “peice.bat” orchestrated copying and renaming files, scheduled task registration, and executed scripts to maintain persistence.
- PowerShell script “template.ps1” collected system process and antivirus details and communicated them to the attacker via Dropbox.
- The attackers downloaded additional payloads and replaced AnyDesk configuration files to stealthily control the victim’s system remotely.
- The PowerShell script hid the AnyDesk tray icon and window to conceal ongoing remote sessions from the user.
- The attack reflects a trend of APT actors using legitimate software and cloud services for command and control infrastructures.
MITRE Techniques
- [T1204] User Execution – The victim was tricked into opening a password-protected HWP document via a phishing email disguised as a paper review request (’email prompted the recipient to open a HWP document file with a malicious OLE object’).
- [T1059.001] PowerShell – Used to execute scripts that collect system information and download additional malware (‘“template.ps1” collects the process list and installed antivirus information’).
- [T1053.005] Scheduled Task/Job – Malicious XML scheduler files executed payloads at regular intervals (‘sch_0514.db is a scheduler XML file that executes get.db twice every 12 minutes’).
- [T1105] Ingress Tool Transfer – Additional malicious files were downloaded from remote servers using “curl” commands in batch scripts (‘download 6 files named “myapp, mnfst, attach, sch_0, vpost, bimage” from C2 using curl’).
- [T1562.001] Impair Defenses: Disable or Modify Tools – PowerShell scripts hid AnyDesk tray icon and window to prevent user detection (‘the script hides the AnyDesk tray icon and window to prevent the user from noticing it’).
- [T1219] Remote Access Software – Abuse of legitimate AnyDesk software to maintain remote access and control (‘the script executes the legitimate AnyDesk executable “default_an.exe”’).
Indicators of Compromise
- [MD5 Hashes] Malicious files involved in the attack – 50d4e3470232d90718d61e760a7a62fb, 6a84a14dd79396f85abd0e7a536d97fc, and 3 more hashes.
- [URLs] Command and control endpoints used to download payloads – http://103.149.98.230/pprb/0220pprbman_1/an/d.php?newpa=myapp, https://niva.serverpit.com/anlab/d.php?newpa=attach.
- [FQDN] Domain used for C2 communication – niva.serverpit.com.
- [IP Addresses] Attack infrastructure IPs – 103.130.212.116, 103.149.98.230.
Read more: https://asec.ahnlab.com/en/88465/