APT Attack Disguised as a Research Paper on Russia-North Korea Partnership (Kimsuky)
AhnLab SEcurity intelligence Center (ASEC) has recently discovered an APT attack targeting Korean users. During the attack, the threat actor used a GitHub repository, which was uploaded with various malicious scripts and normal decoy files used for the attack.
Figure 1. Threat actor’s GitHub repository
Malicious behaviors are performed via multiple malicious scripts uploaded to the repository, ultimately stealing user information. A malicious script is registered to the run key and executed to maintain persistence, and a feature to change file properties and permissions was added to enable more sophisticated attacks.
Figure 2. The overall flow of operation
Two decoy files are used for the attack. The first is a research paper on the Russia-North Korea partnership and the second is a review report form for the paper.
Figure 3. Decoy file (1)
There are now more attacks using external repositories like in this case. In this report, we will discuss the APT attack process as well as the information found by monitoring the threat actor’s GitHub repository.
| Overview Malware Analysis 1. Flow of Operation 2. File Analysis 2.1. EXE 2.2. second.txt 2.3. third.txt 2.4. ini.bat 2.5. rest.txt AhnLab Response Overview Conclusion Indicators of Compromise (IoCs) File Hashes (MD5) Relevant Domains, URLs, and IP Addresses |
