Attack Chain

1. Kimsuky initiates the attack by sending spear-phishing emails or contacting targets via messengers.
2. The initial contact leads to the delivery of a malicious attachment disguised as a document, such as a compressed file.
3. The attachments contain droppers in formats like .JSE, .EXE, .PIF, or .SCR, with filenames designed to entice the recipient to open them.
4. JSE droppers decode Base64-encoded blobs, including a benign lure file and malicious code, storing them in locations like C:\ProgramData with random filenames.
5. The benign lure file is opened to deceive the user, while the malicious payload uses powershell.exe -windowstyle hidden certutil -decode [src path] [dst path] for further decoding.
6. The final payload is executed via command-line instructions, such as regsvr32.exe /s [file path] or rundll32.exe [file path] [export function].
7. Reger Dropper (.SCR) and Pidoc Dropper (.PIF) decrypt their payloads using XOR operations before deploying files in directories like %temp% or C:\ProgramData.
8. Post-exploitation, Kimsuky uses legitimate tools like Visual Studio Code (VSCode) and DWAgent for remote access and control, ultimately aiming to establish backdoors and steal information from the compromised systems.

Impact

Kimsuky primarily targets South Korean entities, including both public and private sectors. The PebbleDash cluster has also been observed targeting the medical, military, and defense industries worldwide, with compromises of Brazilian and South Korean defense organizations, as well as a German defense firm. A successful attack leads to the establishment of backdoors, data theft, and potential disruption of critical services. In 2024, the South Korean government released a security advisory regarding the AppleSeed cluster, demonstrating the significant impact of these attacks.

Recommendation

• Monitor process creation events for the execution of regsvr32.exe or rundll32.exe from unusual locations like %temp% or C:\ProgramData (see Attack Chain step 6) to detect potential malware execution. Deploy the Sigma rule “Detect Suspicious Regsvr32/Rundll32 Execution from Unusual Locations” to your SIEM and tune for your environment.
• Implement detections for JSE droppers decoding and executing payloads via powershell.exe and certutil.exe. Deploy the Sigma rule “Detect JSE Dropper with Certutil and Powershell” to your SIEM and tune for your environment.
• Monitor for the execution of legitimate tools such as VSCode or DWAgent from unexpected locations or with unusual command-line arguments, indicating potential post-exploitation activity (see Attack Chain step 8).
• Scan your environment for the MD5 hashes listed in the IOC table to identify potentially compromised systems.
• Educate users about the risks of opening attachments from untrusted sources and verify the legitimacy of files before opening them, especially those disguised as documents or application installers (see Attack Chain step 2).