Kimsuky, a notorious APT group supported by North Korea, has been actively operating in the cybersecurity realm since 2013. Initially targeting research institutions in South Korea, they later redirected their efforts towards a South Korean energy agency in 2014. Subsequently, their scope of operations expanded to encompass attacks on various sectors, including national defense, diplomacy, academia, and the media. Kimsuky’s primary goal revolves around infiltrating systems, extracting sensitive information, and acquiring advanced technologies. Our colleagues at Ahnlab have shed light on the latest developments in Kimsuky’s tactics, which we will explore in this article.
The Intricate Approach
Kimsuky employs a multifaceted strategy to gain control of infected systems. They typically employ spear phishing attacks, targeting national defense, diplomatic, academic sectors, defense and media industries, and national organizations. Once inside, they install backdoors or infostealers to exfiltrate valuable data. This malicious group utilizes a blend of open-source malware and in-house-developed tools. What sets them apart is their penchant for using legitimate tools to control compromised systems.
The Role of Remote Desktop Protocol (RDP)
One striking feature of Kimsuky’s operations is their affinity for remote control. To achieve this, they extensively rely on the Remote Desktop Protocol (RDP). In cases where RDP is not readily available, they deploy the open-source tool RDP Wrapper to bridge the gap. Once RDP is installed, they either add user accounts for RDP access or employ additional malware to obscure their presence and enable multiple RDP sessions.
Beyond RDP: Kimsuky The Arsenal of Tools
Kimsuky’s toolkit is not limited to RDP. They have been known to customize and utilize various other tools in their attacks. For instance, they have employed TinyNuke, a publicly available malware, and TightVNC, an open-source VNC (Virtual Network Computing) tool, which enables remote control much like RDP. In some instances, they have even used Chrome Remote Desktop, a tool supported by the Google Chrome web browser, to manage infected systems.
Recent Developments
In recent cases, Kimsuky’s operations have taken an interesting turn. They have been observed deploying BabyShark through presumed spear phishing attacks. Subsequently, various RDP-related malware strains are installed. While the tools used in these attacks share similarities with previous instances, their PDB (Program Database) information indicates that they have been recently developed for these specific attacks.
New Player in Town: RevClient
One notable addition to Kimsuky’s arsenal is a malware called “RevClient.” This tool operates by receiving commands from a command and control (C&C) server. Depending on the instructions it receives, RevClient can create user accounts or enable port forwarding, providing the threat actor with even more control over the compromised system.
Kimsuky Initial Infiltration
While the exact method of initial distribution remains unconfirmed, it is highly likely that Kimsuky utilizes spear phishing attacks. Historical cases have involved files like “hwp.bat,” which masquerades as a document viewer but is, in reality, malware. This BAT malware checks for antivirus products using WMIC commands and installs script-type malware once it infiltrates the system.
Kimsuky Ongoing Data Exfiltration
After infiltrating a system, Kimsuky’s threat actors continuously exfiltrate information from it. They employ various malware types, including a keylogger known as “k.ps1” and a script file called “OneNote.vbs” that executes the keylogger. This keylogger stores the collected data in a file located at “%APPDATA%\k.log.”
Additionally, “pow.ps1,” a loader malware, and “desktop.r7u,” an encoded data file, have been identified. The loader malware decrypts the file “desktop.r7u” and executes it in the system’s memory. If the file “desktop.r3u” is present in the same location, the injector is responsible for decrypting and injecting it into “MSBuild.exe,” a legitimate program.
Installing Additional Payloads
It’s worth noting that the threat actors behind Kimsuky continue to evolve. While BabyShark can collect information from the infected system on its own, it goes a step further by installing RDP-related malware.
2.1 Injector
One of these additional malware pieces, named “process.exe,” is quite similar to the previously mentioned “desktop.r7u.” Both serve as injectors, with the main difference being the decryption target and the process they target. The file “CustomVerification.DIC” in the “%APPDATA%” path is the decryption target for “process.exe,” and it targets “powershell_ise.exe.”
2.2 Changing the RDP Service
In their quest for control, Kimsuky employs malware called “multiple.exe.” This tool takes a multi-pronged approach by adding user accounts, enabling RDP, and supporting multiple sessions. It also manipulates the RDP service, modifying “termsrv.dll” to facilitate these changes.
2.3 RevClient Kimsuky
RevClient, as mentioned earlier, is another valuable addition to Kimsuky’s toolkit. It’s an RDP-related malware that operates by receiving commands from a C&C server. Its versatility allows it to undertake various tasks, such as managing user accounts and enabling port forwarding.
Conclusion
Kimsuky threat group has demonstrated its adaptability and determination to stay at the forefront of cyberattacks. Understanding their tactics and tools is crucial for staying one step ahead of this persistent adversary in the ever-evolving world of cybersecurity.