Researchers in South Korea have discovered a fresh wave of activity from the Kimsuky hacking organization, which includes using basic open-source remote access tools and their own backdoor, Gold Dragon.
Kimsuky, also known as TA406, is a North Korean state-sponsored hacker organization engaging in cyber-espionage efforts since 2017. The gang has shown outstanding operational versatility and threat activity diversity, distributing malware, phishing, collecting data, and even stealing cryptocurrency. According to experts at ASEC (AhnLab), Kimsuky used xRAT in targeted cyberattacks on South Korean companies. The campaign began on January 24, 2022, and is still active.
xRAT, a free open-source remote access and administration tool, is available on GitHub for free. Keylogging, remote shell, file management activities, reverse HTTPS proxy, AES-128 communication, and automated social engineering are all included in the malware. A sophisticated threat actor may use commodity RATs since they are fully enough for basic reconnaissance activities and do not require much configuration.
This frees up threat actors’ resources to focus on constructing later-stage malware that requires more specific functionality based on the security tools and techniques available on the target. Furthermore, commodity RATs mix with a wide range of threat actors, making it difficult for analysts to link malicious activity to a specific organization.
Gold Dragon is a second-stage backdoor that Kimsuky commonly distributes following a steganography-based fileless PowerShell-based first-stage attack. This malware has been recorded in a 2020 study by Cybereason and a 2021 analysis by Cisco Talos researchers, therefore it is not new. However, as ASEC describes in its research, the variation seen in this most recent campaign has new characteristics, including fundamental system information exfiltration.
The malware no longer leverages system processes for this purpose but installs the xRAT program to manually steal the required data. The RAT is disguised as cp1093.exe, an executable that transfers a legitimate PowerShell process (powershell_ise.exe) to the “C:\ProgramData\” path and executes it through process hollowing. Gold Dragon continues to employ the same process hollowing strategy on iexplore.exe and svchost.exe, and it continues to try to block real-time detection mechanisms of AhnLab AV solutions.
“The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC.
Next, the installer creates a new registry entry to ensure the malware payload’s startup durability (glu32.dll). Finally, Kimsuky includes an uninstaller (UnInstall_kr5829.co.in.exe) that may be used to remove any evidence of intrusion. Users should avoid opening attachments in emails from unknown senders, according to AhnLab, because this is still the most common way for Kimsuky to spread.