MS-Office 수식 편집기 취약점을 이용해 설치되는 키로거 (Kimsuky)
2024-05-29 • Ahnlab • Trojan/VBS.Agent.SC198696 (2024.03.29.00) •
Kimsuky abused the Microsoft Office Equation Editor vulnerability CVE-2017-11882 to deliver keylogger malware against Korean targets. The report describes mshta execution of a malicious error.php page, PowerShell retrieval of follow-on payloads from command-and-control infrastructure, persistence via a Run key named Clear Web History, and staging under the Users\Public\Pictures path.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 279c86f3796d14d2a4d89049c2b3fa2d | 2024-05-29 | 2024-06-13 |
| HASH | 5bfeef520eb1e62ea2ef313bb979aeae | 2024-05-29 | 2024-06-13 |
| HASH | d404ab9c8722fc97cceb95f258a2e70d | 2024-05-29 | 2024-06-13 |
Related Actors
Related Reports
Shares tags: Kimsuky, CVE-2017-11882 • Shares 3 IOCs • Same author: Ahnlab • Published within a month
Shares tag: Kimsuky • Same author: Ahnlab • Published within a month
Shares tag: Kimsuky • Same author: Ahnlab • Published within a month
Shares tag: Kimsuky • Same author: Ahnlab • Published within a week
Shares tag: Kimsuky • Same author: Ahnlab • Published within a month
Shares tag: Kimsuky • Same author: Ahnlab