Cybersecurity researchers from ESTsecurity’s Security Response Center (ESRC) have uncovered a new watering hole attack campaign attributed to the North Korean threat actor Kimsuky. This latest attack exploits a South Korean university website hosting a reunification education program, using malicious Hangul Word Processor (HWP) files to infect unsuspecting visitors.
The attack, first identified by ESRC, involves malicious HWP documents disguised as application forms for a reunification-related education program. These documents are uploaded to an official university website, luring individuals interested in the program to download and execute the infected files.
Watering hole attacks are a highly targeted cyberattack method where threat actors compromise websites frequently visited by specific individuals or organizations. In this case, the attackers aimed to infect users who are involved in reunification efforts—an area of strategic interest for North Korean intelligence operations.
The attackers use HWP files that contain embedded OLE (Object Linking and Embedding) objects. When executed, these files drop a secondary batch script (document.bat) in the user’s temporary folder. The batch script then executes a series of operations to establish persistence and facilitate further exploitation.
Once executed, the malicious payload:
- Extracts multiple files into the %TEMP% directory.
- Runs a decoy document to avoid suspicion.
- Registers a Windows Task Scheduler entry to ensure persistence.
- Downloads additional payloads from a command-and-control (C2) server.
Key components of the malware include:
- 0304.exe – A launcher written using Adersoft’s VbsEdit, designed to execute scripts covertly.
- get.db / 0304.bat – Batch script responsible for contacting the C2 server.
- wis.db – A downloaded file suspected to execute further malicious commands upon verification.
ESRC attributes this attack to Kimsuky based on similarities in tactics, techniques, and procedures (TTPs). Notably, the attackers utilized a method involving .manifest files to load VBScript code encoded in Base64. This technique has been observed in past Kimsuky campaigns.
Additionally, the attack infrastructure features URLs consistent with past Kimsuky operations. Several known C2 domains used in this campaign include:
- 103.149.98.231/pprb/0304_pprb/d.php?newpa=comline
- rem.zoom-meeting[.]kro.kr/0829_pprb/d.php?na=view
- mem.mcgnu[.]kro.kr/0821_pprbss/d.php?na=app
Given Kimsuky’s known interest in South Korean political affairs, organizations involved in reunification initiatives should exercise extreme caution when downloading documents from online sources.
Related Posts:
- Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report
- North Korean APT Group Kimsuky Targets Japanese Organizations with Stealthy Malware Campaign
- QiAnXin Uncovers New Kimsuky Malware Campaign
- North Korean Hackers Exploit Old Office Flaw to Deploy Keylogger
- Morphisec discovered a new watering hole attack based Flash flaw on Leading Hong Kong Telecom Site
