Malicious Batch File (*.bat) Disguised as a Document Viewer Being Distributed (Kimsuky)

2023-07-10 • Ahnlab •

https://asec.ahnlab.com/en/55219/

#Kimsuky

Based on the function names used by the malware and the downloaded URL parameters, it is suspected to have been distributed by the Kimsuky group. This malware is designed to download various scripts based on the anti-malware process, including AhnLab products, installed in the user’s environment. The threat actor downloads different scripts based on the type of anti-malware process that is running in the user’s environment. Although the exact distribution path of the malware has not been confirmed, it appears that it is being distributed via email.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	namsouth.com	2023-06-30	2024-02-28
HASH	8536d838dcdd026c57187ec2c3aec0f6	2023-06-30	2023-07-10
HASH	00119ed01689e76cb7f33646693ecd6a	2023-06-30	2023-07-10
HASH	7d79901b01075e29d8505e72d225ff52	2023-06-30	2023-07-10
HASH	a7ac7d100184078c2aa5645552794c19	2023-06-30	2023-07-10
URL	http://joongang.site/pprb/sec/c…	2023-06-30	2023-07-10
URL	http://joongang.site/pprb/sec/c…	2023-06-30	2023-07-10
URL	http://namsouth.com/gopprb/OpOp…	2023-06-30	2023-07-10
URL	http://joongang.site/docx/	2023-06-30	2023-07-10
URL	https://joongang.site/pprb/sec/…	2023-06-30	2023-07-10
URL	http://joongang.site/pprb/sec/c…	2023-06-30	2023-07-10
URL	http://joongang.site/pprb/sec/	2023-06-30	2023-07-10
URL	http://joongang.site/pprb/sec/d…	2023-06-30	2023-07-10
URL	https://joongang.site/pprb/sec/…	2023-06-30	2023-07-10
URL	http://joongang.site/doc/	2023-06-30	2023-07-10
URL	https://joongang.site/pprb/sec/…	2023-06-30	2023-07-10
URL	http://staradvertiser.store/sig…	2023-06-30	2023-07-10
URL	https://joongang.site/pprb/sec/…	2023-06-30	2023-07-10
URL	https://joongang.site/pprb/sec/…	2023-06-30	2023-07-10
DOMAIN	staradvertiser.store	2023-06-30	2023-07-10
DOMAIN	joongang.site	2023-06-30	2023-07-10