Threat Research

North Korea Kimsuky Malicious Code Created with VBScript-1.vba

Securonix
North Korea Kimsuky Malicious Code Created with VBScript-1.vba

A VBScript backdoor named 1.vba (1 MB) uses simple Caesar-shift (-5) string obfuscation and Execute to decode and immediately run malicious VBScript that downloads and runs additional payloads. Observed download hosts include AWS S3 bucket proradead and an IP-based hxxp URL, and Avast flags the sample as VBS:Kimsuky-Y.[Trj] #1.vba #VBS:Kimsuky-Y

Keypoints

  • Sample details: filename 1.vba, size 1 MB, MD5 10238c4bac6d327b96bd2abd8808161e, SHA-1 c0285cc616c019ad8361cc4d844362c0b2a5d09e, SHA-256 cfb38fa1d12f9cc1e129fc952739a2b1a831ff17cfd752ec57d7fee53a380866.
  • Obfuscation: uses a simple Caesar character shift (subtracting 5 from ASCII values) applied per-character, rebuilding the string with Chr()/Asc() and executing the result via Execute to evade AV signatures.
  • Scripting and components: script uses Option Explicit and creates COM objects (WScript.Shell, Scripting.FileSystemObject, MSXML2.XMLHTTP, ADODB.Stream) consistent with legitimate VBScript structure.
  • Download behavior: defines multiple download URLs (AWS S3 proradead bucket and an IP-based hxxp URL) and saves files to C:UsersPublicMusic (musicx.exe, musicx.exe.config, music.txt) and also downloads a lure proton.mp4.
  • Safe-download logic: checks file existence with FSO.FileExists(path) and only downloads when the target is missing; download performed via MSXML2.XMLHTTP GET and saved with ADODB.Stream (adSaveCreateOverWrite).
  • Execution: launches downloaded files with WScript.Shell.Run (Run , 1, False) so the executable is shown and the script does not wait; Avast detects the sample as VBS:Kimsuky-Y [Trj].

MITRE Techniques

  • [T1027 ] Obfuscated Files or Information – The VBScript uses a simple Caesar shift to hide code and then executes it; [‘The obfuscation uses a simple Caesar Shift (character shift)’ / ‘Uses Execute to immediately run the decrypted code.’]
  • [T1059.005 ] Command and Scripting Interpreter: Visual Basic – Malicious functionality is implemented and invoked via VBScript Execute and WScript.Shell.Run; [‘Uses Execute to immediately run the decrypted code’ / ‘WScript.Shell.Run in the form Run , 1, False’]
  • [T1105 ] Ingress Tool Transfer – Additional payloads are downloaded from remote hosts (AWS S3 bucket and an IP-based URL) to the victim and saved to disk; [‘AWS S3 URLs such as hxxps://proradead.s3.sa-east-1.amazonaws.com/new.exe’ / ‘hxxp://152.(.)42.(.)42(.0226.161/’]
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The script retrieves payloads over HTTP(S) using MSXML2.XMLHTTP and checks for HTTP 200 before saving; [‘Using MSXML2.XMLHTTP for GET and if Status == 200 then ADODB.Stream writes ResponseBody…’]

Indicators of Compromise

  • [File ] observed malicious script – 1.vba
  • [MD5 ] sample hash – 10238c4bac6d327b96bd2abd8808161e
  • [SHA-1 ] sample hash – c0285cc616c019ad8361cc4d844362c0b2a5d09e
  • [SHA-256 ] sample hash – cfb38fa1d12f9cc1e129fc952739a2b1a831ff17cfd752ec57d7fee53a380866
  • [URL/Domain ] download hosts – hxxps://proradead(.)s3(.)sa-east-1(.)amazonaws(.)com/new(.)exe, hxxps://proradead(.)s3(.)sa-east-1(.)amazonaws(.)com/new(.)exe(.)config (and other S3 object paths)
  • [IP/URL ] alternate download – hxxp://152(.)42(.)42(.0226.161/ (IP-based hxxp URL observed in script)
  • [File Path ] dropped files and lure – C:UsersPublicMusicmusicx.exe, C:UsersPublicMusicproton.mp4
  • [AV Detection ] vendor detection name – Avast: VBS:Kimsuky-Y [Trj]

Read more: https://wezard4u.tistory.com/429685