Threat Research

A malicious LNK that spreads a Python-based backdoor and how it’s spreading (Kimsuky group)

Ahnlab
A malicious LNK that spreads a Python-based backdoor and how it’s spreading (Kimsuky group)

The ASEC analysis describes how Kimsuky modified its LNK-based distribution chain to add multiple intermediate stages (XML, VBS, PS1, BAT) while retaining a final Python backdoor or downloader delivered via ZIP fragments and Task Scheduler registrations. The campaign uses cloud services (Dropbox) and a custom C2 protocol to exfiltrate system information and receive commands, with the backdoor communicating to 45.95.186[.]232:8080; #Kimsuky #beauty #Dropbox

Keypoints

  • Kimsuky LNK files still begin by executing PowerShell, but the recent chain adds generated decoy files and a more complex intermediate flow (XML → VBS → PS1 → BAT) before launching the final payload.
  • Attackers deliver ZIP fragment files from attacker-controlled URLs, merge them into a single ZIP, and deploy a Python interpreter, XML Task Scheduler files, and a Python backdoor (beauty.py).
  • Persistence and execution are achieved through XML-based Task Scheduler registrations with task names similar to previous Kimsuky campaigns (e.g., GoogleUpdateTaskMachineCGI__{56C6A980-…}).
  • The Python backdoor implements a custom fixed-size (4096-byte) protocol with magic bytes and supports commands for shell execution, file upload/download, deletion (with overwriting), and remote execution; initial beacon uses the string “HAPPY”.
  • Threat actors use Dropbox as a C2/exfiltration channel to upload stolen system information (filename format __info.ini) and to deliver additional scripts (zzz09_test.db_sent → hh.bat).
  • Two forms of Python-based malware were observed: a downloader that fetches additional payloads and a backdoor that executes remote commands; the downloader runs silently (CREATE_NO_WINDOW) and removes traces.
  • The campaign preserves historically consistent artifacts (sch_*.db XML names, similar Task Scheduler naming, reuse of decoy files) while altering execution details to evade detection.

MITRE Techniques

  • [T1204.002] User Execution – LNK files are used to trick users into launching the chain that runs PowerShell and downstream scripts; (‘LNK files disguised as document files are difficult to determine maliciousness based on appearance alone’)
  • [T1059.001] PowerShell – PowerShell scripts launched by LNK files create hidden folders, generate files, and start subsequent stages; (‘execute a PowerShell script the same as in previous cases’)
  • [T1059.003] Command and Scripting Interpreter (Windows cmd) – BAT files are executed via cmd.exe to download ZIP fragments, merge them and extract payloads; (‘execute it through the cmd.exe /c C:UsersPublicMusichh.bat command.’)
  • [T1059.005] Visual Basic (VBScript) – VBS scripts are executed via wscript to invoke PowerShell and other components as scheduled tasks run; (‘wscript.exe /b “C:windirr11.vbs”’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – XML Task Scheduler files are registered (e.g., Microsoft_Upgrade{…}, GoogleExtension{…}) to persistently execute VBS/PS1/Python payloads; (‘a Task Scheduler named Microsoft_Upgrade{10-9903-09-821392134} is then registered’)
  • [T1105] Ingress Tool Transfer – Attackers download ZIP archives, split fragments, Python interpreters and scripts from attacker-controlled URLs to the victim for later execution; (‘the BAT file downloads a ZIP file and a decoy file’)
  • [T1102] Web Service – The threat actor uses Dropbox as a C2/exfiltration service to transmit stolen data and retrieve payloads; (‘the threat actor used the Dropbox service as a C2 channel for information transmission’)
  • [T1041] Exfiltration Over C2 Channel – Collected host information is uploaded to the actor’s Dropbox account using filenames in the format __info.ini; (‘the stolen information is uploaded with a file name in the format of __info.ini’)
  • [T1071] Application Layer Protocol – The Python backdoor communicates with the C2 using a custom fixed-size (4096 bytes) protocol and magic bytes to receive commands and return data to 45.95.186[.]232:8080; (‘communicates with a fixed-size (4096 bytes) custom protocol based on magic bytes (0x99 0x0A 0xBD 0x99)’)

Indicators of Compromise

  • [MD5 Hash ] malware/sample hashes referenced in the report – 059bb6c439ffedc61d9168c23552202c, 0633d5f93a5f08a909c039a3f7e90830, and 3 more hashes
  • [URL ] attacker-controlled download and fragment URLs – hxxps://qugesr.online/dwparts_view/view.php?in=comm.part000, hxxps://quickcon.store/man/logo.php?au=beauty.part000, and 3 more URLs
  • [FQDN ] domains hosting payloads and fragments – qugesr[.]online, zoommet[.]site, and 2 more FQDNs (racswera[.]online, whaincloud[.]store)
  • [IP Address ] C2 server – 45[.]95[.]186[.]232 (backdoor command-and-control endpoint on port 8080)
  • [File Name ] malicious and decoy filenames observed – “Resume (Sungmin Park).hwp.lnk”, “Guide to Establishing Data Backup and Recovery Procedures (Reference).lnk” (LNK decoys)
  • [Payload Name ] final payload filenames – C:winiibeauty.py (Python backdoor), can.py (Python script in historic ZIP)

Read more: https://asec.ahnlab.com/en/93151/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint