The attack’s initial payload consists of four files: a heavily obfuscated VBScript (1.vbs), a PowerShell script (1.ps1), and two encoded text files (1.log and 2.log) that contain the actual malware components. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. K7 Security Labs researchers identified that the VBScript employs sophisticated obfuscation techniques, using the chr() and CLng() functions to dynamically generate characters and execute commands. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. It creates persistence through task scheduling and continuously monitors keystrokes and clipboard content to capture sensitive information like passwords and crypto keys. A sophisticated cyberattack campaign attributed to the North Korean Advanced Persistent Threat (APT) group Kimsuky has been observed utilizing new tactics and malicious scripts. The attack revolves around a ZIP file containing multiple components designed to steal sensitive information from targeted systems while maintaining stealth. All collected data is periodically exfiltrated to the attacker’s server, allowing the Kimsuky operators to maintain surveillance over their targets while stealing valuable credentials and cryptocurrency assets. The attack chain begins with obfuscated scripts that eventually deploy a keylogger and cryptocurrency information stealer. Upon execution, the malware collects the BIOS serial number of the compromised system and creates a dedicated directory within the system’s temp folder. The keylogger component captures special keys and window titles, providing attackers with contextual information about the victim’s activities. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The malware targets browser data from Edge, Firefox, Chrome, and Naver Whale, specifically hunting for cryptocurrency wallets. Interestingly, the malware checks if it’s running in a VMware environment and terminates execution if detected, demonstrating its anti-analysis capabilities. This technique helps the script bypass signature-based detection methods while it prepares to execute the PowerShell component. The infection mechanism involves multiple specialized functions to perform a variety of malicious activities.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Mar 2025 14:00:23 +0000