North Korean threat actor Kimsuky is suspected of compromising a wedding photo editing company to distribute maliciously crafted image files to customers, using personalized wedding photos to increase infection likelihood. The attack chain uses Base64-encoded JScript to drop files under C:ProgramData, decodes payloads with certutil, and loads the final payload via regsvr32; #Kimsuky #certutil
Keypoints
- Kimsuky likely targeted a wedding photo editing company to obtain genuine customer photos and metadata to craft convincing malicious attachments.
- The initial malicious file is a JScript (.jse) that contains Base64-encoded data and drops a .jpg and encoded stage files under C:ProgramData.
- Attack uses living-off-the-land binaries: certutil.exe to decode Base64 content and regsvr32.exe to load the final payload silently via DllInstall parameters.
- The JScript flow: Base64 -> binary -> drop JPG, then Base64 -> .eq6W -> certutil decode -> .kGkT (final payload), executed through PowerShell and regsvr32.
- Dropped artifacts include C:ProgramData1740489988221-19.jpg, C:ProgramDataaxgvhr9.eq6W, and C:ProgramDatah7mCrlk.kGkT; execution chain involves wscript/cscript -> powershell (hidden) -> certutil -> regsvr32.
- Malicious JPGs are shown to victims (social engineering) while hiding malicious activity; EXIF data in the images revealed camera model info (Sony ILCE-7M4/ILCE-7M4K) and a timestamp of 2024-11-17 15:22.
- AV-evasion is attempted by leveraging native OS tools instead of custom decoders and by naming/serving payloads with benign-looking image extensions.
MITRE Techniques
- [T1059.005] Command and Scripting Interpreter: JScript – Initial malicious script (JScript/WScript) performs Base64 decoding and file drops using script-based logic (“JScript(WScript based) Base64->binary drop…”).
- [T1140] Deobfuscate/Decode Files or Information – Base64 decoding via MSXML.DOMDocument and ADODB.Stream to decode and write binaries (“dataType = bin.base64 … nodeTypedValue contains decoded raw binary”).
- [T1218] Signed Binary Proxy Execution (Living-off-the-Land) – certutil.exe used to decode Base64-encoded stage to final payload (“certutil -decode C:ProgramDataaxgvhr9.eq6W C:ProgramDatah7mCrlk.kGkT”).
- [T1218.010] Regsvr32 – regsvr32.exe invoked with /s /n /i parameters to call DllInstall and load the final payload (“regsvr32.exe /s /n /i: … DllInstall(TRUE, vnfjejudif234) …”).
- [T1036.005] Masquerading – Malicious payloads are given benign-looking image file extensions and legitimate photo EXIF metadata to appear as normal wedding photos (“first dropped file name … 1740489988221-19.jpg” and EXIF showing “Sony ILCE-7M4/ILCE-7M4K”).
- [T1566.001] Spearphishing Attachment – Use of personalized wedding photos to entice recipients to open attachments, delivering malware while displaying the photo (“send to customers as wedding photos … show the photo and perform malicious actions”).
Indicators of Compromise
- [File name] Dropped artifacts and payloads – 1740489988221-19.jpg, axgvhr9.eq6W, h7mCrlk.kGkT
- [File hash] Known sample hashes – MD5: 089ae8b91642bc246bb0420cc811c5f3; SHA-1: ed6af55654c09b9d0707b43cb9b2e58721177b1e; SHA-256: 5178c640e7694464b73155e0a0fc2493041c48397f3d4e705b79669bced397db
- [Executable/LOLBin names] Tools used in chain – powershell.exe (hidden windowstyle), certutil.exe, regsvr32.exe (used with /s /n /i to load payload)
- [EXIF metadata] Photo metadata revealing device and timestamp – Sony ILCE-7M4/ILCE-7M4K and timestamp 2024-11-17 15:22 (used to craft/validate personalized lures)
Read more: https://wezard4u.tistory.com/429652