Full Report
AhnLab SEcurity intelligence Center (ASEC) has previously analyzed cases of attacks by the Kimsuky group, which utilized the PebbleDash backdoor and their custom-made RDP Wrapper. The Kimsuky group has been continuously launching attacks of the same type, and this post will cover additional malware that have been identified. 1. Overview Threat actors are distributing […]
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
Attributed to the **Kimsuky group**. Previously analyzed by AhnLab SEcurity intelligence Center (ASEC).
## Activity Summary
Kimsuky is continuously launching attacks primarily targeting Korean users using spear-phishing tactics. The initial breach involves distributing malicious shortcut files (`*.LNK`) disguised as common document files (PDF, Excel, Word). These LNK files execute commands via PowerShell or Mshta to download and execute further payloads, including the **PebbleDash** backdoor and a custom-made **RDP Wrapper**. In 2024, the group shifted focus towards utilizing RDP Wrapper and Proxy tools for remote system control rather than solely relying on established backdoors.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing distributing LNK files crafted with file and company names suggesting targeted information gathering.
- **Execution:** LNK files initiate execution via PowerShell or Mshta to download secondary payloads.
- **Persistence/Control:** Installation and use of custom **RDP Wrapper** to activate Remote Desktop features, bypassing security mechanisms via exported functions.
- **Remote Access:** Deployment of **Proxy malware** (three identified types: mutex "MYLPROJECT", mutex "LPROXYMUTEX", Go language-based revsocks) to enable external RDP access from private networks.
- **Credential Access/Exfiltration:** Use of **KeyLogger** malware (PowerShell script or executable format) storing data in new locations (`C:\\Programdata\\joeLog.txt` and `C:\\Programdata\\jLog.txt`).
- **Information Theft:** Utilizing an Infostealer tool named **"forceCopy"** that employs the **NTFS Parser library** to read browser configuration files (e.g., extracting keys from "Local State") instead of directly stealing stored credentials, likely to bypass detection.
- **Evasion:** Use of memory loading via a Loader targeting `\%SystemDirectory\%\\wbemback.dat` and an Injector designed to receive target process information as an argument.
- **PowerShell Techniques:** Use of an obfuscated open-source script, **Invoke-ReflectivePEInjection.ps1**, deployed via PowerShell scripts acting as a ReflectiveLoader.
## Targeting
- **Sectors:** Not explicitly detailed, but the context implies targeting entities where document names suggest specific organizational interest.
- **Geography:** Primarily targeting **Korean users**.
- **Victims:** Specific organizations were not named, but the file names suggest reconnaissance on specific targets involving company names.
## Tools & Infrastructure
- **Malware families used:** PebbleDash, Custom RDP Wrapper, Proxy malware (three variants), KeyLogger (PowerShell/EXE), forceCopy (Infostealer), Loader, Injector, ReflectiveLoader (using Invoke-ReflectivePEInjection.ps1).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- IP addresses observed: 216\[.\]219\[.\]87\[.\]41, 74\[.\]50\[.\]94\[.\]175
- **File Paths/Mutexes:**
- Keylogging paths: `%LOCALAPPDATA%\\CursorCach.tmp`, `%LOCALAPPDATA%\\CursorCache.db` (previous); `C:\\Programdata\\joeLog.txt`, `C:\\Programdata\\jLog.txt` (recent).
- Proxy mutexes: "MYLPROJECT", "LPROXYMUTEX".
- Proxy config path: `C:\\Programdata\\USOShared2\\version.ini`.
- Loader path: `\%SystemDirectory\%\\wbemback.dat`.
- PowerShell script directory: `\%ALLUSERSPROFILE%\\USOShared\\Prosd\\`.
## Implications
Kimsuky remains an active and adapting threat, particularly against Korean targets. The shift toward leveraging custom RDP Wrapper and proxy malware indicates a focus on maintaining persistent, stealthy remote access post-compromise, potentially for long-term espionage or data theft, rather than relying on readily detectable dedicated backdoors. Their use of file-name reconnaissance in initial access indicates high-value, targeted operations.
## Mitigations
- Users must diligently check email sender authenticity and **refrain from opening files from unknown sources**.
- Apply the **latest patches** for the Operating System and web browsers.
- Ensure security solutions (e.g., AhnLab V3) are **updated to the latest version** to prevent infection from known malware signatures and behavioral patterns.
- Monitor for unusual activation of Remote Desktop services or unexpected proxy activity.
- Monitor for file creation in atypical locations such as `C:\ProgramData\` for log files.