Full Report
The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines. [...]
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
Attributed to the threat actor group **Kimsuky**. The article does not explicitly list other known aliases or associated groups, focusing only on Kimsuky activities.
## Activity Summary
The article details the use of a **new custom RDP Wrapper** by Kimsuky hackers to establish remote access during their operations. This is a recent extension of their known activity profile.
## Tactics, Techniques & Procedures
- Establishment of remote access leveraging a **new custom RDP Wrapper**.
- The core technique observed is persistence/command and control via customized Remote Desktop Protocol (RDP) functionality.
- *Note: Specific MITRE ATT&CK IDs were not provided in the truncated text.*
## Targeting
- **Sectors:** Not explicitly mentioned in the provided text snippet.
- **Geography:** Not explicitly mentioned in the provided text snippet.
- **Victims:** Not explicitly mentioned in the provided text snippet.
## Tools & Infrastructure
- **Malware families used:** A **new custom RDP Wrapper** for remote access.
- **Infrastructure (C2, domains, IPs):** None mentioned in the provided text snippet.
## Implications
Kimsuky continues to evolve its toolset, creating custom solutions (like the new RDP Wrapper) to ensure persistent and potentially evasive remote access capabilities onto victim systems. This indicates an investment in operational security and customizing internal infrastructure.
## Mitigations
- Monitor for unauthorized or unusual usage of Remote Desktop Protocol (RDP) processes.
- Thoroughly investigate any use of custom or non-standard RDP wrappers or components.
- Standard hardening procedures against intrusions that allow RDP modification should be employed.