Kimsuky is known for targeting government agencies, think tanks, and individuals involved in foreign policy and national security. According to K7 Security Labs, the group has now improved its technical abilities by using multi-stage attacks that are harder to detect.
The attack begins when the victim receives a ZIP file containing a malicious script. Once the file is opened, the script activates an infection chain involving several hidden malware components. These components work together to gather system information, steal user data, and maintain access to the system.
The malware specifically targets cryptocurrency wallets and web browsers. It includes keylogging features to record everything the user types, such as passwords and personal messages. It also extracts login credentials, cookies, and browsing history from popular browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and Naver Whale.
A key feature of the attack is a highly disguised VBScript file. This script uses advanced techniques to avoid detection, such as converting hidden code into PowerShell commands using functions like chr() and CLng(). These commands launch the next stage of the attack, which is hidden in encoded log files.
The PowerShell script collects the BIOS serial number of the infected computer to create a unique ID and checks whether the system is running in a virtual machine — a trick often used by researchers to study malware safely. If it detects a virtual machine, the malware shuts itself down to avoid being analyzed.
Researchers found that the malware contains eleven specialized functions. These allow it to upload stolen data, extract browser and wallet information, and create scheduled tasks to stay active on the infected device. It targets over 30 cryptocurrency wallets, including MetaMask, Trust Wallet, and Tron, and copies critical database files that may include access keys and transaction details.
After collecting all the data, the malware compresses it into a ZIP file named “init.dat” to make it look harmless. It then sends the file to a command-and-control server located at http://srvdown[.]ddns[.]net/service3/. This server can also send new commands to the infected system, allowing attackers to control it remotely.
The findings show that Kimsuky is continuously upgrading its tools to carry out complex and dangerous cyberattacks. Security experts warn that this campaign poses a serious threat to individuals and organizations, especially those dealing with cryptocurrency or sensitive data.
Cybersecurity professionals recommend using advanced threat detection systems and training users to recognize phishing attempts, which often serve as the starting point for such attacks.
Tags:
Cybercrime in World
