Kimsuky Espionage Campaign

Posted on 2021-08-23 by Dmitry Melikov

A few days ago, we found an exciting Javascript file masquerading as a PDF that, upon activation, will drop and display a PDF (to maintain the ruse) as well as drop an executable. The document is a lure for the Korean Foreign Ministry document and its newsletter. The same attack was reported earlier by Malwarebytes in June.

Apparently, the threat actor behind this campaign is still using this infrastructure and infection technique.

File TypeJavascript
Sha 25620eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd
Size27.31 MB (28634023 bytes)
Image 1: Document images when opened
Image 2: Virustotal

The document shows shallow detection on the VT service. At the beginning of the check, the detection showed 3/58.

We found this very interesting, so we decided to delve deeper into the study of its technical composition. 

Image 3:

Opening the document in a Hex editor, we see that it is filled with data that is encoded in Base64. In order to continue our study, it is necessary to extract this data to see what it contains. Also, in the tail of the file we find the executable code, which will run when opened.

Image 4: Embedded PowerShell code

To ease research efforts, we present the previously mentioned executable code in a more human-readable format.

Image 5: PowerShell Script

In Image 5, you can see that the program will launch Adobe Reader, decode the Base64 payload, and run it in stealth mode. But to understand what it launches, we need to extract the payload from the script.

As a reminder, the file size is 27.31 MB, which is quite large, not a small effort for manual data retrieval. Therefore, the easiest way is to write a simple Python script to find Base64 encoded blocks and decode them.

Image 6: Base64 encoded data blocks
Image 7: Base64 data
import sys, base64

def openfile (s):
    sys.stderr.write(s + "\n")
sys.stderr.write("Usage: %s<infile><outfile>\n" % sys.argv[0])

def base64Dec(dump,result):
    result = base64.b64decode(dump)

if __name__ == '__main__':

if len(sys.argv) != 3:
    openfile("invalid argument count")
outfile = sys.argv.pop()
infile = sys.argv.pop()
file = open(infile,"rb")
dump = bytearray(
result = bytearray(len(dump))
opendata = base64Dec(dump,result)
new = open(outfile,"wb")

We can extract the data and decode it with a small Python script; as a result, we were able to retrieve two files from the encoded string.

Sha 256 3251c02ff0fc90dccd79b94fb2064fb3d7f870c69192ac1f10ad136a43c1ccea 
File Type PDF 
Size 20.23 MB (21214792 bytes)
File 1

If we take a close look at the first file (3251c02ff0fc90dccd79b94fb2064fb3d7f870c69192ac1f10ad136a43c1ccea) , it is clear that it is legitimate and does not represent any malware load. It was uploaded to VirusTotal on May 27 of this year. Obviously, it is used here as a lure to hide malicious actions at runtime. 

The second file we received is also data encoded behind two layers of Base64.

Image 8: The second data block is Base64 encoded twice
Sha 2560a4f2cff4d4613c08b39c9f18253af0fd356697368eecddf7c0fa560386377e6
File TypeDLL x64
Size190.00 KB (194560 bytes)
File 2

Executable library packed with UPX. But unpacking this sample is not very difficult. And so we got the payload.

Sha 256ae50cf4339ff2f2b3a50cf8e8027b818b18a0582e143e842bf41fdb00e0bfba5
File TypeDLL x64
Size474.50 KB (485888 bytes)
File 2 unpacked

The executable is a Kimsuky espionage tool.

Image 8: Extensions for document search

The malicious document looks for documents(.hwp, .pdf, .doc, .xls, .ppt, .txt) in all directories, including USB drives, with the aim of stealing them. 

\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ESTsoftAutoUpdate  = "regsvr32.exe /s \"C:\\ProgramData\\Software\\ESTsoft\\Common\\ESTCommon.dll\""

The program creates the following registry keys. Thus, after each start of the system, the library will be restarted.

Image 9: Keylogger Artifacts

We see the unique strings that the keylogger uses to record the data entered by the user. We find a lot of encrypted strings in the executable file.

Image 10: Encrypted strings

We managed to decipher all these lines. Here are some of the most interesting ones.




'\r\n    :repeat\r\n    del "%s"\r\n    if exist "%s" goto repeat\r\n    del "%%~f0"'






















'%PDF-1.7..4 0 obj'












'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36'

"Powershell.exe start-process regsvr32.exe -argumentlist \'








































"powershell.exe start-process regsvr32.exe -argumentlist \'/s %s\' -verb runas"




Debug lines:




Javascript files


Unpacked library. Kimsuky Spy.


Unpacked library. Kimsuky Spy.


malware-analysis threat-hunting

Get The InQuest Insider

Find us on Twitter for frequent updates, follow our Blog for bi-weekly technical write-ups, or subscribe here to receive our monthly newsletter, The InQuest Insider. We curate and provide you with the latest news stories, field notes about innovative malware, novel research / analysis / threat hunting tools, security tips and more.