Kimsuky is using uncommon document types to evade detection, as seen by the usage of MSC files in the attack. The document is further disguised as a harmless Word file utilizing the word processor's icon to boost the infection's chances of success. If the victim opens the MSC file and agrees to allow Microsoft Management Console (MMC) to open it, a console screen with a Word document that initiates the attack process is shown to them.

To show a document housed on Google Drive, a command is issued to connect to an actor-controlled server. Meanwhile, other commands are carried out in the background to configure persistence as well as gather battery and process data. Following the collection of data, the information is exfiltrated to the command-and-control (C2) server. This server may also extract IP addresses, User-Agent strings, and timestamps from HTTP requests and send pertinent payloads when needed. Some of the tactics, techniques, and procedures (TTPs) used in the campaign, according to the researchers, are similar to previous Kimsuky activities that distributed malware like ReconShark.

Attacks using spear-phishing techniques were the most frequent APT attack strategy in South Korea during the first quarter of this year. Although they are less frequently publicized, covert attacks using social media are nonetheless happening. Even when the victim is aware of them, they are rarely reported externally because of their personalized, one-on-one nature, making them difficult for security monitoring to identify. For this reason, it's critical to identify these tailored threats as soon as possible.

Impact

• Information Theft
• Data Exfiltration
• Unauthorized Access

Indicators of Compromise

SHA1

• 1e1ee2ad2fed3373e4986f0d6fd178e2c75efb06
• 607e42fe2cb9f4be309b5b53cdef2693a704f37f
• a610f5d2460d58f5a7bd20977ccef19501c850fb
• d873ffa1c33c4e76fd7393d8be27425307e8fe91
• e12d0655cc09cddb4fb836c641f73179d4bc1121
• 03b559aac877c15fbf01cdbc0dbd4f02a50be480

URL

• http://brandwizer.co.in/green_pad/wp-content/plugins/custom-post-type-maker/essay/share
• http://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx
• http://joongang.site/pprb/sec/d.php?na=battmp

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.