063. Kimsuky Abuses Control Panel Items to Evade Detection

Hello everyone! I think you already noticed that Kimsuky (we track it as Monotithic Werewolf) is a frequent guest in my blog. The thing is - the cluster is quite creative and provides lots of detection ideas!


Today we'll loot at how the adversary abused Control Panel Items in the campaign described in this report.

So, the threat actors used a malicious file with double extension - [한글] 계엄사-합수본부 운영 참고자료[원본].hwp.cpl. It is a Control Panel item, and is executed with control.exe. It means we can search for abusing of control.exe (you can experiment with double extensions, of course):

event_type: "processcreate"

AND

proc_file_name: "control.exe"

AND

cmdline: ("hwp" AND "cpl") OR ("docx" AND "cpl") OR ("pdf" AND "cpl")

After execution, the file connects to github[.]com to download additional files - and we have another detection opportunity:

event_type: "dnsreq"

AND 

dns_rname: "github.com" 

AND 

proc_file_path: "control.exe"

Also, note the persistence mechanism used by the adversary - it's no the most common!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!