The Kimsuky group has been utilizing the PebbleDash malware, initially associated with the Lazarus group, for spear-phishing attacks targeting individuals. This report details the distribution process, usage of modified system DLLs for authentication bypass, and installation of additional malware. Affected: Individuals, Cybersecurity
Keypoints :
- PebbleDash is now distributed by Kimsuky group instead of Lazarus.
- The Kimsuky group primarily uses a spear-phishing tactic to gain initial access.
- The group combines PebbleDash with a modified RDP service to bypass authentication.
- PowerShell is used for running commands and deploying additional malware.
- The malware installation includes utilities for privilege escalation and data exfiltration.
- Users are advised to verify file extensions to avoid executing malicious files.
- Checks and command executions are recommended to identify and revert any file modifications.
MITRE Techniques :
- T1193 – Spear Phishing: The Kimsuky group uses spear-phishing emails to deliver malicious LNK files.
- T1059.001 – Command and Scripting Interpreter: PowerShell is executed through Cmdline to run commands.
- T1060 – Registry Run Keys / Startup Folder: The malware creates registry keys for persistence.
- T1071.001 – Application Layer Protocol: Uses Dropbox for command and control communications.
- T1543.003 – Create or Modify System Process: Modifies termsrv.dll for RDP connection authentication bypass.
- T1203 – Exploitation for Client Execution: Exploits software vulnerabilities to execute the malware on the target device.
- T1068 – Exploitation of Elevation of Privilege: UAC Bypass malware facilitates privilege escalation.
Indicator of Compromise :
- [MD5] 641593eea5f235e27d7cff27d5b7ca2a
- [MD5] 70d92e2b00ec6702e17e266b7742bbab
- [IP] 159[.]100[.]13[.]216
- [IP] 213[.]145[.]86[.]223
- [IP] 216[.]219[.]87[.]41
Full Story: https://asec.ahnlab.com/en/87621/