Friend
Professional
- Messages
- 2,653
- Reaction score
- 843
- Points
- 113
How VbsEdit helps hackers bypass traditional means of detecting malicious code.
The North Korean hacking group Kimsuky continues to develop its activity, using increasingly sophisticated methods to bypass security systems. Since 2018, the group's malware campaign, codenamed BabyShark, has been on the rise from HWP and BAT files to distribute malicious code to Microsoft Management Console (MSC) files and running malicious code using VbsEdit.
The main threat lies in the fact that MSC files, which are usually used for system administration, have become a tool for spreading malware. Upon launching such a file, the user is instructed to click the 'Open' button, which will activate malicious commands via the Command Prompt (CMD). These commands download malware from remote servers and store it under the guise of regular files, such as Google Docs.
Researchers from Hauri paid special attention to a case where the uploaded document contained information about specific North Korean defectors, which indicates a targeted attack. The attackers also use VBS scripts that, once executed with VbsEdit, connect to C2 servers to download and execute additional malware.
Kimsuky's attacks have become even more sophisticated by the use of VbsEdit scripting software, which allows attackers to evade standard detection tools such as «wscript.exe and "cscript.exe". Using VbsEdit to execute malicious code makes it difficult for traditional antiviruses to detect it.
The method of saving and executing malware deserves special attention. Files downloaded from C2 servers are disguised as innocuous XML or VBS files and then registered in the Windows Task Scheduler to run at a specific time. In some cases, additional malware is downloaded via encrypted commands, making them difficult to analyze and detect.
Given the complexity and targeting of the attacks, Hauri security experts strongly recommend that organizations strengthen their system security measures, especially by paying attention to suspicious activity in the task scheduler and any unauthorized changes to system files.
Source
The North Korean hacking group Kimsuky continues to develop its activity, using increasingly sophisticated methods to bypass security systems. Since 2018, the group's malware campaign, codenamed BabyShark, has been on the rise from HWP and BAT files to distribute malicious code to Microsoft Management Console (MSC) files and running malicious code using VbsEdit.
The main threat lies in the fact that MSC files, which are usually used for system administration, have become a tool for spreading malware. Upon launching such a file, the user is instructed to click the 'Open' button, which will activate malicious commands via the Command Prompt (CMD). These commands download malware from remote servers and store it under the guise of regular files, such as Google Docs.
Researchers from Hauri paid special attention to a case where the uploaded document contained information about specific North Korean defectors, which indicates a targeted attack. The attackers also use VBS scripts that, once executed with VbsEdit, connect to C2 servers to download and execute additional malware.
Kimsuky's attacks have become even more sophisticated by the use of VbsEdit scripting software, which allows attackers to evade standard detection tools such as «wscript.exe and "cscript.exe". Using VbsEdit to execute malicious code makes it difficult for traditional antiviruses to detect it.
The method of saving and executing malware deserves special attention. Files downloaded from C2 servers are disguised as innocuous XML or VBS files and then registered in the Windows Task Scheduler to run at a specific time. In some cases, additional malware is downloaded via encrypted commands, making them difficult to analyze and detect.
Given the complexity and targeting of the attacks, Hauri security experts strongly recommend that organizations strengthen their system security measures, especially by paying attention to suspicious activity in the task scheduler and any unauthorized changes to system files.
Source
