Malware Disguised as Normal Documents (Kimsuky)
2023-02-15 • Ahnlab •
AhnLab reported Kimsuky document malware distributed beyond security-related targets to broadcasting and ordinary corporate users. The lures used DOCX filenames such as questionnaires, cover letters, and planning documents, then relied on template injection to download malicious Word macro templates from compromised Korean websites. When macros ran, a batch file used curl to fetch a decoy document and VBS payload, which collected system, antivirus, recent Word-file, download-directory, process, and IE registry information before registering persistence through Task Scheduler. Representative infrastructure included gdtech[.]kr, ddim.co[.]kr, and hydrotec.co[.]kr paths serving init.dotm, state.dotm, list.php, and show.php components.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 55a46a2415d18093abcd59a0bf33d0a9 | 2023-02-03 | 2023-10-30 |
| DOMAIN | jooshineng.com | 2023-02-03 | 2023-10-30 |
| HASH | 83b4d96fc75f74bb589c28e8a9eddbbf | 2023-02-03 | 2023-02-15 |
| HASH | 705ef00224f3f7b02e29f21eb6e10d02 | 2023-02-03 | 2023-02-15 |
| HASH | 873b2b0656ee9f6912390b5abc32b276 | 2023-02-03 | 2023-02-15 |
| URL | http://jooshineng.com/gnuboard4… | 2023-02-03 | 2023-02-15 |
| URL | http://www.hydrotec.co.kr/bbs/i… | 2023-02-03 | 2023-02-15 |
| URL | http://gdtech.kr/gnuboard4/adm/… | 2023-02-03 | 2023-02-15 |
| URL | http://www.hydrotec.co.kr/bbs/i… | 2023-02-03 | 2023-02-15 |
| URL | http://ddim.co.kr/gnuboard4/adm… | 2023-02-03 | 2023-02-15 |
| URL | http://gdtech.kr/gnuboard4/adm/… | 2023-02-03 | 2023-02-15 |
| URL | http://ddim.co.kr/gnuboard4/adm… | 2023-02-03 | 2023-02-15 |
| URL | http://www.hydrotec.co.kr/bbs/i… | 2023-02-03 | 2023-02-15 |
| URL | http://gdtech.kr/gnuboard4/adm/… | 2023-02-03 | 2023-02-15 |
| URL | http://gdtech.kr/gnuboard4/adm/… | 2023-02-03 | 2023-02-15 |
| DOMAIN | ddim.co.kr | 2023-02-03 | 2023-02-15 |
| DOMAIN | gdtech.kr | 2023-02-03 | 2023-02-15 |