{
  "name": "Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)",
  "slug": "keylogger-installed-using-ms-office-equation-editor-vulnerability-kimsuky",
  "description": "This technical analysis examines a campaign by the Kimsuky threat group that exploited a vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor to distribute malware. The attackers used mshta.exe to run a malicious script that downloads additional components, including a keylogger. The keylogger collects system information, keystrokes, and clipboard data, which are sent to a command-and-control server. The report highlights the importance of patching vulnerabilities and keeping software up-to-date to prevent such attacks.",
  "published": "2024-06-13T08:14:41+00:00",
  "created_at": "2024-06-13T08:14:41+00:00",
  "modified_at": "2024-06-13T08:33:25+00:00",
  "created_at_opencti": "2024-06-13T08:14:41+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-06-13",
    "CVE-2017-11882",
    "apt",
    "keylogger"
  ],
  "related_entities": {
    "intrusion_sets": [
      {
        "id": "294d962a-b24e-446b-8e2d-3706cb1316b3",
        "name": "Kimsuky",
        "slug": "kimsuky"
      }
    ],
    "attack_patterns": [
      {
        "id": "d955a391-6fd0-4eb2-8767-973c39c761e0",
        "name": "T1120"
      },
      {
        "id": "7ee85a68-f3ed-49bd-a5de-27b219e43609",
        "name": "T1080"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "cf746a02-00ea-419e-912d-7b03f969c491",
        "name": "T1518.001"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "6e4e21cc-92cf-4564-920e-d509bd22fd40",
        "name": "T1574"
      },
      {
        "id": "29398669-98ed-4766-9dac-f9632f7175ff",
        "name": "T1518"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3",
        "name": "T1090"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2017-11882"
      }
    ]
  },
  "external_refs": [
    "https://asec.ahnlab.com/en/66720/",
    "https://otx.alienvault.com/pulse/666ac69198896ad749549d5b"
  ]
}