Kimsuky Group Uses ADS to Conceal Malware

Malware Analysis
1

AhnLab Security Emergency response Center (ASEC) has discovered that the Kimsuky group is using Alternate Data Stream (ADS) to hide their malware.

This malware is an Infostealer that collects data by starting the VBScript included inside an HTML file. It can be characterized by its tendency to add the actual code between numerous dummy codes.

Figure 1. Part of the initially executed script

The following commands are executed in the terminal to collect and transmit data.  

  1. hostname
  2. systeminfo
  3. net user
  4. query user
  5. route print
  6. ipconfig /all
  7. arp -a
  8. netstat -ano
  9. tasklist
  10. tasklist /svc
  11. cmd.exe” /c dir C:\Program Files
  12. cmd.exe” /c dir “C:\Program Files (x86)”
  13. cmd.exe” /c dir “C:\ProgramData\Microsoft\Windows\Start Menu\Programs”
  14. cmd.exe” /c dir “C:\Users\Unknown\AppData\Roaming\Microsoft\Windows\Recent”

Additionally, after decoding the data that has been HEX encoded, it is saved as “.Uso2Config.conf” in the “C:\ProgramData\Uso2” directory before registering a scheduler that repeats infinitely every minute.

The decoded file is a script to maintain persistence that connects to the C2 and executes an additional script.  However, “:honeyT” is attached and saved at the end when saving “.Uso2Config.conf”. This creates an ADS.

Figure 2. ADS Stream creation (part of the code with the dummy codes removed)

Figure 3. Registered scheduler

When saved through this method, the file size shows up as 0 bytes when examined in the directory. 

Figure 4. File created in a certain path

However, the actual file size and filename can be confirmed by using the “dir /r” command in the Command Prompt terminal, and the “more” command can be used to check the contents of the file.

Figure 5. Actual contents of the file

This method was also used by the Magniber ransomware in the past, and was covered in an ASEC Blog post Changes to the Magniber Ransomware’s File Creation Method (File Concealment)

As attack methods are changing continuously with each passing day, users are strongly advised to exercise extra caution.

[File Detection]
Downloader/VBS.Kimsuky.S1997 (2023.03.14.00)

[IOC]

MD5
EC3C0D9CBF4E27E0240C5B5D888687EC
ACA61A168D95C5F72B8E02650F727000

C2
zetaros.000webhostapp[.]com

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Kimsuky Group Uses ADS to Conceal Malware appeared first on ASEC BLOG.

Article Link: https://asec.ahnlab.com/en/50625/