[Malware] Kimsuky group's resume impersonation malware

04 Mar 2020 | | 악성코드, 김수키, 북한, APT, hwp, malware, kimsuky, north korea, english

Malware disguised as a resume

This malware is one of the variants of the APT attack that the Kimsuky group has continued to attack South Korea. This variant, created on February 27, 2020, is a file titled “이력서 양식.hwp.scr”(“resume sample.hwp.scr” in English), which looks like a hwp file but as a scr (screen saver extension but executable as an exe) file. When executed, the script is executed and the Hangeul document file with the actual resume form is loaded as follows.

hwp

Analysis

MD5 : 47c95f19ebd745d588bb208ff89c90ba

It’s a fairly complex piece of malware that can’t be easily analyzed statically. Therefore, I tried analysis is based on behavior. When executed, the actions are as follows :

Create files

C:\Users[User]\AppData\Local\Temp\ÀÌ·Â¼ ¾ç½Ä.hwp
C:\Users[User]\AppData\Local\Temp\654A.tmp.db
C:\Users[User]\AppData\Local\Temp\67DB.tmp.bat
C:\Users[User]\AppData\Local\Temp\65E7.tmp.bat
C:\Users[User]\AppData\Roaming\Microsoft\Windows\Defender\AutoUpdate.dll

### ÀÌ·Â¼ ¾ç½Ä.hwp — After execution, the .scr file is replaced by this .hwp file. Actual resume form file.

### 654A.tmp.db — It is actually a dll and is injected into explorer.exe.

Imgur

### 67DB.tmp.bat — Batch script that deletes the first executable file(.scr file).

### 65E7.tmp.bat — This batch script deletes the 654A.tmp.db file.

### AutoUpdate.dll — It is actually an exe executable and performs actual malicious behaviors such as connecting to the C & C server, tampering the registry, and injecting explorer.exe.

autoupdate