Posted By Vanish , March 29, 2023

Kimsuky Group Uses ADS to Conceal Malware

AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware.

This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes.

Figure 1. Part of the initially executed script

The following commands are executed in the terminal to collect and transmit data.

hostname
systeminfo
net user
query user
route print
ipconfig /all
arp -a
netstat -ano
tasklist
tasklist /svc
cmd.exe” /c dir “C:\Program Files“
cmd.exe” /c dir “C:\Program Files (x86)”
cmd.exe” /c dir “C:\ProgramData\Microsoft\Windows\Start Menu\Programs”
cmd.exe” /c dir “C:\Users\Unknown\AppData\Roaming\Microsoft\Windows\Recent”

Additionally, after decoding the data that has been HEX encoded, it is saved as “.Uso2Config.conf” in the “C:\ProgramData\Uso2” directory before registering a scheduler that repeats infinitely every minute.

The decoded file is a script to maintain persistence that connects to the C2 and executes an additional script. However, “:honeyT” is attached and saved at the end when saving “.Uso2Config.conf”. This creates an ADS.

Figure 2. ADS Stream creation (part of the code with the dummy codes removed)

Figure 3. Registered scheduler

When saved through this method, the file size shows up as 0 bytes when examined in the directory.

Figure 4. File created in a certain path

However, the actual file size and filename can be confirmed by using the “dir /r” command in the Command Prompt terminal, and the “more” command can be used to check the contents of the file.

Figure 5. Actual contents of the file

This method was also used by the Magniber ransomware in the past, and was covered in an ASEC Blog post Changes to the Magniber Ransomware’s File Creation Method (File Concealment).

As attack methods are changing continuously with each passing day, users are strongly advised to exercise extra caution.

[File Detection]
Downloader/VBS.Kimsuky.S1997 (2023.03.14.00)

[IOC]

MD5
EC3C0D9CBF4E27E0240C5B5D888687EC
ACA61A168D95C5F72B8E02650F727000

C2
zetaros.000webhostapp[.]com

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:ads,Alternate Data Stream,AppleSeed,CONCEALMENT,Kimsuky,northkorea,Thallium

5 1 vote

Article Rating

33 Comments

Inline Feedbacks

View all comments

Kimsuky Group Uses ADS to Conceal Malware - Ciberdefensa

8 months ago

[…] post Kimsuky Group Uses ADS to Conceal Malware appeared first on ASEC […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks – informatify.net

7 months ago

[…] event comes as AhnLab Safety Emergency Response Middle (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to ship info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - Cryptonounce.com

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks – securityhot

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks – CISO2CISO.COM & CYBER SECURITY GROUP

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - Tether Investor

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - BEKER

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks -

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks – b0x

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks – Auto Translate News

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks – Cyber Social Hub

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - Investor Beam

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - Tech Investor News

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG advierte sobre ciberataques ARCHIPIÉLAGO vinculados a Corea del Norte - Teknomers Noticias

7 months ago

[…] se produce cuando AhnLab Security Emergency Response Center (ASEC) detalló el uso de Kimsuky de Flujo de datos alternativo (ANUNCIOS) y archivos de Microsoft Word armados para entregar malware ladrón de […]

Google TAG met en garde contre les cyberattaques ARCHIPELAGO liées à la Corée du Nord - Teknomers Nouvelles

7 months ago

[…] d’urgence de sécurité AhnLab (ASEC) a détaillé l’utilisation par Kimsuky de Flux de données alternatif (ADS) et fichiers Microsoft Word militarisés pour diffuser des logiciels malveillants voleurs […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - The Kilguard

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks – Sentria

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - Swapupdate

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG, Kuzey Kore bağlantılı ARCHIPELAGO Siber Saldırılarına Karşı Uyarıda Bulundu - Dünyadan Güncel Teknoloji Haberleri | Teknomers

7 months ago

[…] AhnLab Güvenlik Acil Durum Müdahale Merkezi’nin (ASEC) Kimsuky’nin Alternatif Veri Akışı (REKLAMLAR) ve silahlandırılmış Microsoft Word dosyaları bilgi hırsızı kötü amaçlı […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - 360tecnologico.com

7 months ago

[…] event comes as AhnLab Safety Emergency Response Heart (ASEC) detailed Kimsuky’s use of Alternate Knowledge Stream (ADS) and weaponized Microsoft Phrase information to ship info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - Vived Solutions Ltd

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks – Ady DeeJay :: Professional Freelancer

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks | Cyber Review

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - playtime74.com

7 months ago

[…] event comes as AhnLab Safety Emergency Response Heart (ASEC) detailed Kimsuky’s use of Alternate Knowledge Stream (ADS) and weaponized Microsoft Phrase information to ship info-stealer […]

7 months ago

[…] event comes as AhnLab Safety Emergency Response Middle (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to ship info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - Shackle Media

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks – Flyytech.com

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - Slsolutech.Best IT Related Website

7 months ago

[…] event comes as AhnLab Safety Emergency Response Heart (ASEC) detailed Kimsuky’s use of Alternate Information Stream (ADS) and weaponized Microsoft Phrase recordsdata to ship info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - Source Coders

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - SPIXNET C2S

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - BALL PLLC

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer […]

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks - The Network Company | Cyber Security | IT Services | Network Security

7 months ago

[…] comes as AhnLab Security Emergency Response Center (ASEC) detailed Kimsuky’s use of Alternate Data Stream (ADS) and weaponized Microsoft Word files to deliver info-stealer malware.Sign up for free and […]