Another report on the activities of the North Korean-based threat group, Kimsuky, has been published by Yoroi ZLab. A previous report was covered in a collection that is available from the Linked Collections section.
Malware, APT, Campaign
Kimsuky is believed to be a North Korean-based threat group who have been operating since the latter half of 2013 with many campaigns being attributed to the group. The group is also known by other names including Velvet Chollima and Black Banshee. The analysis provided in the Yoroi ZLab report begins with an SCR file that, when executed, creates a file with a .db extension which is in actuality a DLL file. No information is provided on the method used to deliver the SCR file to the victim. The file is then copied to a directory named “%AppData%\Roaming\Microsoft\Windows\Defender\” and renamed “AutoUpdate.dll“. A registry key, “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsDefender”, is then created to provide persistence. Two other files are also created during the process, a BAT file used to do some cleaning up, and a non-malicious document Yoroi ZLab believes is used to allay suspicion. Two components from the DLL file are injected into an instance of “explorer.exe“. Once the infection process is complete, the malware begins communicating with the C&C server at 15 minutes intervals, sending information about the infected system. Further details are available from the report linked in the Reference section below. See the Linked Collections section on the right for a previous collection on Kimsuky activity.
Indicators of Compromise
Ensure anti-virus software and associated files are up to date.
Search for existing signs of the indicated IOCs in your environment.
Consider blocking and or setting up detection for all URL and IP based IoCs.
Keep applications and operating systems running at the current released patch level.