Malware Disguised as HWP Document File (Kimsuky)
2023-06-23 • Ahnlab •
Considering that the words used in the malware and the executed script code are similar to that of previously analyzed codes, it is suspected that the same threat group (Kimsuky) is also the creator of this malware. Both the script present in the above URL and the subsequent scripts executed perform functions such as user credential leakage and keylogging, which are consistent with the findings in the <Analysis Report on Malware Distributed by the Kimsuky Group>. The message contains North Korean dialect as shown in Figure 4 below. Given the continuous detection of this malware type being distributed, users are advised to exercise extra caution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 8133c5f663f89b01b30a052749b5a988 | 2023-06-16 | 2024-04-17 |
| DOMAIN | well-story.co.kr | 2023-06-16 | 2024-04-17 |
| HASH | 91029801f6f3a415392ccfee8226be67 | 2023-06-16 | 2023-08-16 |
| HASH | 73174c9d586531153a5793d050a394a8 | 2023-06-16 | 2023-08-16 |
| HASH | f05991652398406655a6a5eebe3e5f3a | 2023-06-16 | 2023-06-23 |
| HASH | ec1b518541228072eb75463ce15c7bce | 2023-06-16 | 2023-06-23 |
| URL | http://well-story.co.kr/adm/inc… | 2023-06-16 | 2023-06-23 |
| URL | http://well-story.co.kr/adm/inc… | 2023-06-16 | 2023-06-23 |
| URL | http://well-story.co.kr/adm/inc… | 2023-06-16 | 2023-06-23 |
| URL | http://well-story.co.kr/adm/inc… | 2023-06-16 | 2023-06-23 |
| URL | http://well-story.co.kr/adm/inc… | 2023-06-16 | 2023-06-23 |