Threat Research

Kimsuky Health Checkup Email Malware

Securonix
Kimsuky Health Checkup Email Malware

A Kimsuky campaign delivered an obfuscated Windows Script Host JScript dropper inside an ALZ-compressed email attachment named “건강검진 안내서.alz” that displays a fake PDF while dropping and executing a DLL via rundll32. The malware uses multi-stage Base64 decoding (certutil/PowerShell), stores payloads under C:ProgramData, communicates with C2 at load.samework.o-r.kr using AES-CBC-encrypted POST bodies and a decrypted Chrome 79 user-agent, and achieves persistence via regsvr32 scheduled execution. #Kimsuky #NationalHealthInsurance

Keypoints

  • Campaign uses an ALZ-compressed email attachment named “건강검진 안내서.alz” that contains a deceptive .pdf.jse script to trick users into executing the dropper.
  • The dropper is an obfuscated WSH/JScript two-stage loader that decodes Base64 payloads, drops files to the current folder and to C:ProgramData, then executes a DLL via rundll32 and self-deletes.
  • Secondary payloads are decoded using PowerShell plus certutil, stored with random-looking extensions (e.g., .a9oc, .lpxQ) to hide true file types, and executed as DLL/PE modules.
  • Network C2 uses HTTP(S) to load.samework.o-r.kr/index.php with an AES-CBC encrypted, Base64-encoded POST body built from three random 9-character tokens and other identifiers; requests impersonate Chrome 79 via a decrypted User-Agent.
  • Headers and C2 strings are obfuscated in memory using SIMD subtraction and custom decoding routines; the loader supports large server responses (up to ~10 MB) to fetch shellcode, PE modules, scripts, or commands.
  • Persistence and stealth leverage living-off-the-land binaries: regsvr32 is used for hourly execution, PowerShell is run hidden, and certutil is used to decode Base64 to avoid detection.

MITRE Techniques

  • [T1566 ] Phishing: Spearphishing Attachment – The campaign is “distributed via email attachment” (‘distributed via email attachment’).
  • [T1204 ] User Execution: Malicious File – The attachment “appears as a PDF but is not; executing it shows a fake PDF while running the malware” (‘execution shows a fake PDF while running the malware’).
  • [T1059 ] Command and Scripting Interpreter – Malware is a “Windows Script Host(WSH)-based dropper and loader using obfuscated JScript” (‘Windows Script Host(WSH)-based dropper and loader using obfuscated JScript’).
  • [T1086 ] PowerShell – The sample uses “PowerShell + certutil to decode” and runs PowerShell with “-windowstyle hidden” to avoid user visibility (‘PowerShell + certutil to decode’ and ‘PowerShell … -windowstyle hidden’).
  • [T1218 ] Signed Binary Proxy Execution – Legitimate system binaries are abused: “regsvr32.exe /s C:ProgramDatahkNIPHP61rvE0T7J.IpxQ” and execution via “rundll32.exe ,Play” (‘regsvr32.exe /s …’ and ‘rundll32.exe ,Play’).
  • [T1053 ] Scheduled Task/Job – A scheduled task is registered so the payload in ProgramData “is executed every hour” (‘is executed every hour’).
  • [T1105 ] Ingress Tool Transfer – The loader accepts large server responses and is described as a “Stage Loader for downloading shellcode, PE (modules), scripts, commands” (‘Stage Loader for downloading shellcode, PE (modules), scripts, commands’).
  • [T1071 ] Application Layer Protocol: Web Protocols – C2 uses HTTP(S) to “hxxp://load(.)samework(.)o-r(.)kr/index(.)php” and WinHTTP for communications (‘hxxp://load(.)samework(.)o-r(.)kr/index(.)php’).
  • [T1027 ] Obfuscated Files or Information – The JScript and C2 headers/strings are “obfuscated; header decryption uses SIMD subtract and custom decoding” (‘obfuscated; header decryption uses SIMD subtract and custom decoding’).
  • [T1036 ] Masquerading – The malware “disguises requests as a normal browser (Chrome 79) via a decrypted User-Agent” (‘disguises requests as a normal browser (Chrome 79) via a decrypted User-Agent’).

Indicators of Compromise

  • [File name / Hash ] Email-delivered malicious attachment – 건강검진 안내서.alz (MD5: d02be241dda3d4027f6fbd84ac015ca8, SHA-256: 2abff5efd1b8e2a938e2ec4ba105a8e70d1c402a6c31e2a7021c7e3199a72d7a).
  • [File name / Hash ] Dropped script payload – 건강검진 안내서.pdf.jse (MD5: 903cec93146327414cbc49068c524292, SHA-256: 81e384471fcfa6752cb81ca1b7b9ee455cc78f1580d260ed7a11d682a378930e).
  • [File path ] Persisted/temporary files – C:ProgramDatabEyjSIpZvbJpjVv9.a9oc, C:ProgramDatahkNlPHP61rvE0T7J.lpxQ (randomized extensions used to conceal file type).
  • [Domain / URL ] Command-and-control – hxxp://load[.]samework[.]o-r[.]kr/index[.]php (C2 endpoint used for encrypted POSTs and payload staging).
  • [Persistence / Execution ] Scheduled task and loader invocation – regsvr32.exe /s C:ProgramDatahkNIPHP61rvE0T7J.IpxQ and rundll32.exe ,Play (used for hourly execution and DLL entry point invocation).
  • [Network / Header ] Impersonated User-Agent – Decrypted Chrome UA: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36”.

Read more: https://wezard4u.tistory.com/429656