Unmasking Kimsuky’s Latest Tactics: A Deep Dive into Malicious Scripts and Payloads
do son 
Recently, K7 Labs provided an insightful analysis of a campaign attributed to the North Korean APT group Kimsuky, also known as “Black Banshee”. This analysis sheds light on the group’s latest tactics involving malicious scripts and payloads.
Kimsuky, believed to be state-sponsored and active since at least 2012, has a history of targeting countries like South Korea, Japan, and the U.S.. Their modus operandi typically involves phishing, malware infections (including RATs, backdoors, and wiper malware), supply chain attacks, lateral movement within networks, and data exfiltration. The recent analysis from K7 Labs delves into the infection chain and provides a detailed examination of the payloads used in their latest attack.
The initial indicators of compromise (IOCs) for this attack were shared via a tweet, pointing to a ZIP file containing the malicious payloads. Inside this archive, researchers at K7 Labs discovered four files: a VBScript, a PowerShell script, and two encoded text files. According to the analysis, “These encoded text files contain obfuscated data, which, with further analysis, could provide crucial insights into the malware’s behaviour and objectives“.
The VBScript (1.vbs) employs obfuscation techniques using the chr() and CLng() functions to dynamically generate characters and execute commands. This method helps the script bypass signature-based detection mechanisms, allowing it to remain hidden during execution. Ultimately, the generated characters form a command that likely executes the PowerShell script (1.ps1), passing one of the encoded text files (1.log) as an argument.
The PowerShell script (1.ps1) further decodes base64-encoded data found within the 1.log file and executes the resulting script. Notably, the script collects the BIOS serial number of the compromised system, using it to create a unique directory within the system’s temporary folder for storing attack-related files. Interestingly, the script also checks if it’s running within a VMware environment. If so, it deletes all associated files and terminates execution, suggesting an attempt to evade analysis.
The analysis highlights that the 1.ps1 script contains eleven functions that outline the malware’s subsequent operations. These functions are central to the attack, enabling data exfiltration, cryptocurrency information theft, and communication with a Command-and-Control (C2) server. One of these functions, UploadFile(), is designed to upload exfiltrated data to the server in 1MB chunks via HTTP POST requests, ensuring the ability to handle large files. Another function, GetBrowserData(), focuses on extracting user profile data from popular web browsers like Edge, Firefox, Chrome, and Naver Whale, including cookies, login information, bookmarks, and web data.
The second encoded text file (2.log), after decoding, reveals a script designed for keylogging. This script imports necessary Windows API functions to monitor keystrokes, capture window titles, and manage keyboard states. It actively monitors the clipboard, logs keystrokes, and records window titles, saving this information to a file named k.log. As the analysis points out, “Malicious activities by this stealer discussed here could be considered the groundwork to understand the victim and the further C2 commands from the attacker could cause further damage“.
The K7 Labs analysis underscores the evolving nature of cyber threats, with actors like Kimsuky employing “time consuming, interlinked multi component based” techniques to enhance their evasiveness. This particular campaign demonstrates a focus on network-related information, potentially for active reconnaissance.
