Ddos 
The North Korean threat actor Kimsuky has been spotted deploying yet another advanced phishing campaign—this time leveraging HWP documents and stealthy AnyDesk backdoors to infiltrate victims under the guise of academic collaboration. The AhnLab Security Intelligence Center (ASEC) has released a detailed report on this latest attack, confirming that Kimsuky continues to refine its spear-phishing tactics and living-off-the-land techniques.
The operation begins with a phishing email crafted to appear as a legitimate academic request. The email includes a password-protected HWP file (Hancom Word Processor), a format commonly used in South Korea. Once opened with the supplied password, the document drops six malicious files into the system’s %TEMP% directory and displays a decoy discussing the Russo-Ukraine War.
One of the embedded files, peice.bat, is triggered via a hidden hyperlink labeled “More…” within the document, initiating a complex infection chain.
Upon execution, the peice.bat script orchestrates the following:
- Deletes the original HWP bait file.
- Renames and opens a new decoy file titled “Military Technology and Future War Direction Seen Through the Russo-Ukrainian War.hwp.”
- Registers a scheduled task under the alias “GoogleTransltatorExtendeds.”
- Moves the payload to C:\Users\Public\Music\ as cool.exe and related files.
This task, set to run every 12 minutes, decodes a BASE64-encoded VBScript, which then executes a PowerShell script (template.ps1). This script gathers antivirus and process information, sending the stolen data to the attacker’s Dropbox account.
“template.ps1 collects the process list and installed antivirus (AV) information on the user’s system… and sends it to the threat actor’s Dropbox,” the report explains.
The attackers escalate their access through a second script that downloads additional files—including a legitimate AnyDesk executable, renamed default_an.exe, along with forged configuration files such as:
- service.conf: Contains the connection key and a hashed password.
- system.conf: Stores the connection ID and settings.
“The threat actor’s intention seems to be to replace these configuration files… to access the user’s system,” the report warns.
The attack chain cleverly hides AnyDesk’s interface:
- Tray icon: hidden
- Main window: suppressed
- Process: running silently in the background
This stealth allows the attacker to maintain persistent remote control without the user’s knowledge—especially dangerous in corporate or government environments.
Kimsuky’s phishing attacks continue to evolve, increasingly exploiting legitimate software like AnyDesk and leveraging Dropbox for C2 operations. This shift toward fileless persistence and abuse of trusted tools reflects a growing trend in APT operations.
Related Posts:
- OLE Object Offensive: FlowerPower APT’s Novel Attack Vector
- AnyDesk’s Cybersecurity Breach: Unveiling the Recent Attack
- Unit 42’s Discovery: Chinese APT’s Strategic Targeting in Cambodia
- AnyDesk Breach 2024: Dark Web Sale of 18,317 Credentials
- Cybercriminals Exploit AnyDesk to Impersonate CERT-UA in Sophisticated Phishing Campaign
Donate