Full Report
Recently, the AhnLab SEcurity intelligence Center (ASEC) confirmed the phishing email attack case where the Kimsuky group disguised their attack as a request for paper review from a professor. The email prompted the recipient to open a HWP document file with a malicious OLE object attachment. The document was password-protected, and the recipient had to […]
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
Attributed to the **Kimsuky** group, confirmed by AhnLab SEcurity intelligence Center (ASEC). This group is associated with continuously launching APT attacks and impersonating others to target specific individuals.
## Activity Summary
Kimsuky executed a phishing campaign disguised as a request for paper review from a professor. The attack chain begins with a password-protected HWP document containing a malicious OLE object. Upon opening, the document drops six files in the `%TEMP%` folder. A hyperlink within the document body, labeled **“More…”**, executes a batch file (`peice.bat`) which orchestrates persistence, cleanup, and execution of the main payload. The initial lure document was themed around the Russo-Ukraine War. A secondary observed infection chain involved downloading files via a PowerShell script (`template.ps1`) which delivered further stage payloads, including setting up persistence via a compromised AnyDesk configuration.
## Tactics, Techniques & Procedures
- **Spearphishing Attachment:** Using HWP documents with malicious OLE objects as an initial vector.
- **Credential/Password Prompt:** Document required a password to open, which was provided in the phishing email content.
- **File Dropping:** Automatically created six specific files in the `%TEMP%` directory upon opening the malicious document.
- **Execution via Link:** Used an embedded hyperlink (prompting user interaction) within the document body to trigger execution of a batch script (`peice.bat`).
- **Persistence Mechanism:** Registered a scheduled task (XML scheduler file named `sch_0514.db`, renamed to execute `cool.exe` every 12 minutes) under the name **“GoogleTransltatorExtendeds”**.
- **Defense Evasion/Obfuscation:** Used an EXE file (`app.db`) signed with a valid signature. Execution involved the main executable reading a manifest file (`cool.exe.manifest`) for BASE64-encoded data, which was decoded into a VBScript to execute the downloader script.
- **Information Harvesting:** PowerShell utilized to collect process lists and installed AV information.
- **Use of Legitimate Services:** Using Dropbox for C2 communication/storage of harvested data (`park_year_month_day_hour_minute_info.ini`).
- **Lateral Movement/RCE Attempt:** Attempted to hijack legitimate remote access software (AnyDesk) by replacing its configuration files (`service.conf`, `system.conf`) to gain persistent remote control, while attempting to hide related artifacts (tray icon/window).
- **File Operation:** Deleting original HWP file, renaming harvested files to look legitimate (e.g., bait HWP document renamed to “Military Technology and Future War Direction Seen Through the Russo-Ukrainian War.hwp”).
## Targeting
- **Sectors:** Implied targeting of academic/research fields due to the lure email topic (paper review request) and content (Russo-Ukraine War documents).
- **Geography:** Based on the use of HWP files (common in South Korea) and the nature of past Kimsuky activities, likely targeting South Korean entities or individuals interested in geopolitical topics.
- **Victims:** Individuals receiving the phishing email regarding paper review requests.
## Tools & Infrastructure
- **Malware families used:**
- `app.db` (Renamed to `cool.exe`): Signed executable responsible for reading configuration and launching VBScript.
- `get.db` (Renamed to `template.ps1`): PowerShell script for system enumeration and downloading secondary payloads.
- `sch_0514.db` (Scheduler file): XML configuration for persistence.
- Infection chain 2/3 artifacts: `default_an.vbs`, `default_an.ps1`, `default_an.exe` (appears to be legitimate AnyDesk), `service.conf`, `system.conf` (configuration replacements).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- HTTP URL: `http[:]//103[.]149[.]98[.]230/pprb/0220_pprb_man_1/an/d[.]php?newpa=myapp`
- HTTP URL: `http[:]//103[.]149[.]98[.]230/pprb/0220_pprb_man_1/an/d[.]php?newpa=myappfest`
- HTTPS URL: `https[:]//niva[.]serverpit[.]com/anlab/d[.]php?newpa=attach`
- HTTPS URL: `https[:]//niva[.]serverpit[.]com/anlab/d[.]php?newpa=bimage`
- HTTPS URL: `https[:]//niva[.]serverpit[.]com/anlab/d[.]php?newpa=mnfst`
- FQDN: `niva[.]serverpit[.]com`
- IP Addresses: `103[.]130[.]212[.]116`, `103[.]149[.]98[.]230`
- Cloud Storage: Dropbox (used for C2 exfiltration).
## Implications
Kimsuky continues to refine its social engineering by leveraging current geopolitical events (Russo-Ukraine War) relevant to potential victims. The use of signed executables, heavy obfuscation via malicious OLE objects within common document formats (HWP), and the attempt to replace legitimate remote access tools (AnyDesk) configurations indicate a sophisticated, multi-stage attack designed for stealthy long-term access and data exfiltration.
## Mitigations
- **File Handling Caution:** Exercise extreme caution when opening documents (especially HWP) received from unknown or unexpected sources, even if they appear to be from known contacts (professors/colleagues).
- **Macro/OLE Security:** Ensure default settings block execution of embedded objects (OLE) or scripts within documents unless explicitly whitelisted or required.
- **Process Monitoring:** Implement robust endpoint detection and response (EDR) to monitor for suspicious file drops in `%TEMP%` directories and unusual process execution chains (e.g., document opening leading to batch/PowerShell execution).
- **Scheduler Monitoring:** Audit scheduled tasks for newly created entries, especially those running executables from non-standard locations like Public user profile folders (`C:\Users\Public\Music\`).
- **Software Integrity Check:** Regularly verify the integrity and configuration files of legitimate remote access software (AnyDesk) to detect unauthorized modification of connection IDs or credentials.
- **Network Monitoring:** Block outbound connections to identified C2 IPs and domains, and monitor for unusual traffic directed towards personal cloud storage services like Dropbox originating from process execution chains noted in this attack.