JPCERT/CC confirms Kimsuky carried out targeted attack activities against Japanese organizations in March 2024, using spearphishing with a zip attachment and decoy documents to deliver a malicious payload. The infection chain downloads and runs VBScript and PowerShell components (PokDoc and InfoKey) to collect device information, check for analysis environments, and exfiltrate keystrokes and clipboard data. #Kimsuky #PokDoc #InfoKey
Keypoints
- Targeted attack email impersonated a security/diplomatic organization and delivered a zip attachment with files that hide their true extensions.
- Files included one executable and two decoy documents, with double file extensions to conceal their nature.
- Execution of the EXE triggers a VBScript (VBS) download and launch via wscript.exe from an external source.
- The VBS fetches and runs PowerShell, invoking a PokDoc function with a destination URL parameter.
- Registry Run key is used to autostart a file via WScript, enabling persistence.
- The downloaded PowerShell implements a keylogger (InfoKey) that collects system, process, network, and user data and writes it to a file before exfiltration.
- Keystrokes and clipboard data are captured and sent to a remote URL, indicating data exfiltration through the C2 channel.
MITRE Techniques
- [T1566.001] Spearphishing Attachment β The attacker sent a targeted attack email impersonating a security and diplomatic organization. A zip file containing the following files with double file extensions was attached to the email. ββ¦the attacker sent a targeted attack email impersonating a security and diplomatic organization. A zip file containing the following files with double file extensions was attached to the email.β
- [T1036] Masquerading β To hide the file extension, each file name contains a large number of spaces. βTo hide the file extension, each file name contains a large number of spaces.β
- [T1059.005] VBScript β A VBS file downloaded from an external source and executed using wscript.exe. βWhen the EXE file (1) is executed, a VBS file is downloaded from an external source and executed using wscript.exe.β
- [T1059.001] PowerShell β The VBS file downloads PowerShell from the external source and calls PokDoc function with the following parameter. βPokDoc -Slyer [Destination URL]β
- [T1547.001] Registry Run Keys/Startup Folder β The Run key in the registry is used to configure βC:UsersPublicPicturesdesktop.ini.bakβ to automatically start via WScript.
- [T1056.001] Keylogging β PowerShell downloaded by the VBS file functions as a keylogger; when InfoKey is called, keystrokes and clipboard data are captured and saved. βWhen the InfoKey function is called, the file C:UsersPublicMusicdesktop.ini.bak is created, and then the stolen keystrokes and clipboard information are saved.β
- [T1041] Exfiltration Over C2 Channel β The collected data is sent to the URL provided in the parameter. βthe data is sent to the URL provided in the parameter.β
Indicators of Compromise
- [File] Desktop.ini.bak β C:UsersPublicPicturesdesktop.ini.bak, C:UsersPublicMusicdesktop.ini.bak