AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware.
This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes.
The following commands are executed in the terminal to collect and transmit data.
- net user
- query user
- route print
- ipconfig /all
- arp -a
- netstat -ano
- tasklist /svc
- cmd.exe” /c dir “C:\Program Files“
- cmd.exe” /c dir “C:\Program Files (x86)”
- cmd.exe” /c dir “C:\ProgramData\Microsoft\Windows\Start Menu\Programs”
- cmd.exe” /c dir “C:\Users\Unknown\AppData\Roaming\Microsoft\Windows\Recent”
Additionally, after decoding the data that has been HEX encoded, it is saved as “.Uso2Config.conf” in the “C:\ProgramData\Uso2” directory before registering a scheduler that repeats infinitely every minute.
The decoded file is a script to maintain persistence that connects to the C2 and executes an additional script. However, “:honeyT” is attached and saved at the end when saving “.Uso2Config.conf”. This creates an ADS.
When saved through this method, the file size shows up as 0 bytes when examined in the directory.
However, the actual file size and filename can be confirmed by using the “dir /r” command in the Command Prompt terminal, and the “more” command can be used to check the contents of the file.
This method was also used by the Magniber ransomware in the past, and was covered in an ASEC Blog post Changes to the Magniber Ransomware’s File Creation Method (File Concealment).
As attack methods are changing continuously with each passing day, users are strongly advised to exercise extra caution.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.