The article discusses a malicious code named Kimsuky developed by North Korean hacking organizations, targeting the US Studies Center with a malicious file disguised as a legitimate dialogue on future cooperation in the Australia-Korea-Japan context. (Affected: US Studies Center, Australia, Korea, Japan)
Keypoints :
- Kimsuky, linked to North Korean hacking efforts, is involved in cyber espionage targeting sensitive research institutions.
- The malicious code masquerades as a genuine meeting document while embedding harmful scripts.
- It utilizes PowerShell to execute commands and modify files discreetly.
- Includes a PowerShell script that creates and schedules tasks to run further exploits.
- Targets the Australian public sector to enhance espionage capabilities against foreign relations.
MITRE Techniques :
- T1547.001 – Windows Task Scheduler: A task is scheduled to run the malicious VBS script every 18 minutes.
- T1059.001 – PowerShell: Uses PowerShell to execute commands and manage files within the system.
- T1071.001 – Application Layer Protocol: Utilizes HTTP/S for command and control, downloading files from a remote server.
Indicator of Compromise :
- The article mentions the use of URLs (hxxp://103.149.98.247/vs/tt/d.php) associated with phishing activities.
- It describes specific file names like “USSC AUSTRALIA-KOREA-JAPAN DIALOGUE FUTURE-ORIENTED COOPERATION.lnk” that are linked with the malicious payload.
- It includes hashes of files such as MD5, SHA-1, and SHA-256 for known malicious files.
- The script’s command to download from the specified malicious server indicates its compromise actions targeting user credentials.
Full Story: https://wezard4u.tistory.com/429475
Views: 43