Kimsuky

AppleSeed Disguised as Wi-Fi Router Firmware Installer Being Distributed

On May 26th, the ASEC analysis team discovered the distribution of AppleSeed disguised as a Wi-Fi router firmware installer. Previously discovered AppleSeed strains were mainly distributed by disguising themselves as normal document or image files. The dropper malware that creates AppleSeed either used script formats such as JS (Java Script) and VBS (Visual Basic Script), or had a pif extension to disguise itself as a document file that works as .exe file. For this case, it used the icon and…

Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics

The ASEC analysis team has discovered that a malware strain disguised as press releases is being distributed. When this malware is run, it loads a normal document file and attempts to access malicious URLs. If the access is successful, the script existing on the webpage is run. It appears the script is of a similar type to the VBS code found in the ASEC blog post <APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)>. The list of…

Word Files Related to Diplomacy and National Defense Being Distributed

The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related file names. The Word files contain malicious VBA macro codes and are the same file type introduced in <Discovery of Continuous Distribution of North Korea-related Malicious Word Files>. The names of the distributed files that were recently discovered are as follows: 220426-North Korea’s Diplomatic Policy and Our Responses(Professor Jeong).doc (April 26th) North Korea’s Diplomatic Policy and Our Responses.doc (April 26th) China’s Diplomatic Policy and…

APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)

At the beginning of March this year, a wildfire broke out in the Samcheok and Wuljin area, and numerous people from all over Korea donated to help the victims and restore the damages. Amidst such a situation, the ASEC analysis team discovered the attacker’s attempt at launching APT attacks disguised as donation receipts for the Uljin wildfire. The file was created on March 28th, and its author’s name is the same as the author (Acer) that was introduced in the…

VBS Script Disguised as PDF File Being Distributed (Kimsuky)

On March 23rd, the ASEC analysis team has discovered APT attacks launched by an attack group presumed to be Kimsuky, and they targeted certain Korean companies. Upon running the script file with the VBS extension, the malware runs the innocuous PDF file that exists internally to trick the user into thinking that they opened an innocuous document file and uses a malicious DLL file to leak information. Taking PDF file into consideration, it seems the attacker is targeting precise-refinement industries….