2024-03-22ììëìë³ê³ìDropBoxë¼ììíKimsukyììì½ë.pdf (1 MB)

Hauri reports that Kimsuky has been distributing malicious Windows shortcut files since December 2023 against security-related targets and cryptocurrency investors, with a focus on information theft. The LNK execution chain runs PowerShell, uses Dropbox refresh and access tokens to retrieve encrypted payloads such as /step1/ps.bin, decrypts and executes staged scripts, and establishes persistence through scheduled tasks that run every 10 minutes. The malware collects process and service lists, system information, firewall settings, installed antivirus products, and file listings from user folders before AES-encrypting the results and uploading them to attacker-controlled Dropbox paths. Later stages include keylogging, browser credential theft, Google Drive-hosted payload retrieval, and UltraVNC deployment with a firewall rule allowing port 5900 for remote control. The report provides multiple MD5 hashes for LNK lures and related files, making it useful for tracking Kimsuky cloud-storage-based delivery and post-compromise collection tradecraft.