AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware.
This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes.
Figure 1. Part of the initially executed script
The following commands are executed in the terminal to collect and transmit data.
- hostname
- systeminfo
- net user
- query user
- route print
- ipconfig /all
- arp -a
- netstat -ano
- tasklist
- tasklist /svc
- cmd.exe” /c dir “C:\Program Files“
- cmd.exe” /c dir “C:\Program Files (x86)”
- cmd.exe” /c dir “C:\ProgramData\Microsoft\Windows\Start Menu\Programs”
- cmd.exe” /c dir “C:\Users\Unknown\AppData\Roaming\Microsoft\Windows\Recent”
Additionally, after decoding the data that has been HEX encoded, it is saved as “.Uso2Config.conf” in the “C:\ProgramData\Uso2” directory before registering a scheduler that repeats infinitely every minute.
The decoded file is a script to maintain persistence that connects to the C2 and executes an additional script. However, “:honeyT” is attached and saved at the end when saving “.Uso2Config.conf”. This creates an ADS.
Figure 2. ADS Stream creation (part of the code with the dummy codes removed)
Figure 3. Registered scheduler
When saved through this method, the file size shows up as 0 bytes when examined in the directory.
Figure 4. File created in a certain path
However, the actual file size and filename can be confirmed by using the “dir /r” command in the Command Prompt terminal, and the “more” command can be used to check the contents of the file.
Figure 5. Actual contents of the file
This method was also used by the Magniber ransomware in the past, and was covered in an ASEC Blog post Changes to the Magniber Ransomware’s File Creation Method (File Concealment).
As attack methods are changing continuously with each passing day, users are strongly advised to exercise extra caution.
[File Detection]
Downloader/VBS.Kimsuky.S1997 (2023.03.14.00)
[IOC]
MD5
EC3C0D9CBF4E27E0240C5B5D888687EC
ACA61A168D95C5F72B8E02650F727000
C2
zetaros.000webhostapp[.]com
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] post Kimsuky Group Uses ADS to Conceal Malware appeared first on ASEC […]
[…] event comes as AhnLab Safety Emergency Response Middle (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to ship info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] se produce cuando AhnLab Security Emergency Response Center (ASEC) detalló el uso de Kimsuky de Flujo de datos alternativo (ANUNCIOS) y archivos de Microsoft Word armados para entregar malware ladrón de […]
[…] d’urgence de sécurité AhnLab (ASEC) a détaillé l’utilisation par Kimsuky de Flux de données alternatif (ADS) et fichiers Microsoft Word militarisés pour diffuser des logiciels malveillants voleurs […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] AhnLab Güvenlik Acil Durum Müdahale Merkezi’nin (ASEC) Kimsuky’nin Alternatif Veri Akışı (REKLAMLAR) ve silahlandırılmış Microsoft Word dosyaları bilgi hırsızı kötü amaçlı […]
[…] event comes as AhnLab Safety Emergency Response Heart (ASEC) detailed Kimsuky’s use of Alternate Knowledge Stream (ADS) and weaponized Microsoft Phrase information to ship info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] event comes as AhnLab Safety Emergency Response Heart (ASEC) detailed Kimsuky’s use of Alternate Knowledge Stream (ADS) and weaponized Microsoft Phrase information to ship info-stealer […]
[…] event comes as AhnLab Safety Emergency Response Middle (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to ship info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] event comes as AhnLab Safety Emergency Response Heart (ASEC) detailed Kimsuky’s use of Alternate Information Stream (ADS) and weaponized Microsoft Phrase recordsdata to ship info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]
[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer malware.Sign up for free and […]