contagio: 2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan

Tuesday, September 10, 2024

The malware is delivered as a file named "Terms and conditions.msc," containing embedded PowerShell commands.
The PowerShell script is executed in a hidden window (-WindowStyle Hidden), preventing user awareness.
The script uses Invoke-Expression (iex) to execute code and Invoke-WebRequest (iwr) to download a malicious script from hxxps://0x0(.)st/Xyl7(.)txt.
The downloaded data, encoded in hexadecimal, is decoded into a byte array.
The decoded data is initially saved as an MP3 file (e.g., vBqz.mp3) in the system’s public documents folder.
The MP3 file is then renamed to an executable file (e.g., vBqz.exe), disguising the payload as a media file.
The executable is run using conhost.exe in the background with the -NoNewWindow option, ensuring it remains hidden.
File Camouflage: The use of the MP3 extension initially disguises the executable file.
Stealthy Execution: Utilizing system utilities like conhost.exe and executing commands in hidden windows help evade user detection and security software.
Command-and-Control (C2) Infrastructure: The malware’s reliance on a public site for payload distribution suggests a flexible and easily reconfigurable C2 mechanism.
Hexadecimal Encoding: The use of encoded data indicates potential obfuscation techniques; decoding this data can reveal more about the malware.
Potential Variants: Different versions of this malware may exist, with variations in the payload or C2 URLs. Monitoring and updating detection rules, such as YARA, would be beneficial.

Download