The North Korean threat group Kimsuky recently shifted tactics away from traditional backdoors to leveraging the remote desktop protocol (RDP) and proxy tools to control compromised systems, AhnLab’s Security intelligence Center (ASEC) reported Tuesday.
Kimsuky, also known as APT43, Emerald Sleet and Velvet Chomilla, has historically leveraged various backdoor malware such as AppleSeed, TinyNuke, Meterpreter and PebbleDash, to establish persistence.
While the PebbleDash backdoor appeared in the recent spear-phishing campaigns observed by ASEC, the use of a new customized version of the RDP Wrapper utility and three different proxy tools suggest an effort to improve stealth while establishing persistence.
The campaigns begin with spear-phishing emails containing .LNK shortcut files disguised as other files types like PDF, Excel or Word documents. The attacks appear to be highly targeted with specific names of people or companies used in the .LNK file names.
Executing the attached file triggers a PowerShell command or Microsoft HTML Application (Mshta) process to install Kimsuky’s additional payloads, including PebbleDash and RDP Wrapper.
RDP Wrapper is an open-source utility that can be used to support RDP on Windows versions that do not typically support it, such as Home editions; it can also be used to run more than one concurrent RDP session.
The version of RDP Wrapper used by Kimsuky appears to be customized with export functions designed to help bypass malicious file detection, according to ASEC. Kimsuky further utilizes proxy tools to enable access via RDP to systems on private networks. The three proxy tools include one that creates a mutex called “MYLPROJECT,” one that creates a mutex called “LPROXYMUTEX” and one open-source Go-based revsocks tool.
Other payloads used by Kimsuky are a keylogger and a new infostealer malware called forceCopy. The keylogger collects and stores user keystrokes; previously, Kimsuky utilized keyloggers that stored keystrokes in the “CursorCach.tmp” and “CursorCache.db” files. However, in the recent campaigns, keystrokes were instead stored in text files “joeLog.txt” and “jLog.txt.”
The forceCopy malware copies files from one path to another and uses the forensic NTFS Parser library rather than APIs to read files, providing less restricted access. forceCopy is used as an infostealer to copy and steal files containing credentials, such as web browser configuration files, and the malware is installed at web browser installation paths in an apparent attempt to bypass restrictions or security systems.
ASEC also identified loader and injection malware not seen in previous Kimsuky campaigns. The loader loads files from “%SystemDirectory%\wbemback.dat” into memory, although the payload that is ultimately loaded and injected has not been identified.
Kimsuky is backed by the North Korean government and mostly targets South Korean organizations for cyberespionage, although it has also targeted victims in the United States, Japan, and European nations like Germany.
The group has leveraged a variety of novel malware and techniques over more than a decade of activity, including novel remote access trojans (RATs) and backdoors for both Windows, Linux and macOS. Kimsuky was also one of five state-sponsored threat actors revealed to have leveraged OpenAI’s ChatGPT to assist its operations, in a report published last year.
