Kimsuky, a North Korea-aligned threat group, has shifted toward using AutoIt-based Amadey and RftRAT alongside XRat in LNK-driven campaigns to gain remote access and exfiltrate data. The report details how LNK files, BAT/VBS scripts, and AutoIt loaders are used for initial access, payload delivery, and post-infection information theft. #Kimsuky #AutoIt #Amadey #RftRAT #XRat #QuasarRAT
Keypoints
- The Kimsuky group frequently uses spear phishing to target defense, government, media, and academic sectors, delivering malicious LNK files contained in compressed attachments or links.
- LNK files decrypt and execute embedded script malware (BAT/VBS), which can install backdoors such as XRat, Amadey, and RftRAT from external sources.
-
- XRat loader (ht.dll) and configuration data are used to decrypt and inject payloads, while Amadey serves as a downloader and exfiltration tool.
- Post-infection activity includes keylogging, infostealer capabilities, Mimikatz, and RDP-related tools to facilitate data theft and remote access.
- Indicators of compromise include specific MD5 hashes, domains, IPs, and C2 URLs linked to Amadey and RftRAT campaigns.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – ‘By attaching files or including download links in the emails, the threat actor prompted users to download the compressed file and execute the LNK shortcut file inside.’
- [T1027] Obfuscated/Compressed Files and Information – ‘The LNK file contains an encrypted compressed file…’
- [T1059] Command and Scripting Interpreter – ‘BAT and VBS scripts inside can either be used for executing other scripts…’
- [T1055] Process Injection – ‘RftRAT … injected into svchost.exe … and run.’
- [T1547.001] Boot or Logon Autostart Execution – ‘creates the path “%ALLUSERSPROFILE%Startup” and registers it to the Startup folder.’
- [T1071.001] Web Protocols – ‘C&C server addresses’ and ‘The HTTP packet structure … to the C&C server’
- [T1003] Credential Dumping – ‘Mimikatz and RDP Wrapper, which have both been steadily used for many years.’
Indicators of Compromise
- [MD5] – f5ea621f482f9ac127e8f7b784733514, 7b6471f4430c2d6907ce4d349f59e69f, and many other hashes (Downloader/Win.Amadey.R626032, etc.)
- [Domain] – prohomepage[.]net/index.php, brhosting[.]net/index.php, topspace[.]org/index.php, theservicellc[.]com/index.php, splitbusiness[.]com/index.php, techgolfs[.]com/index.php
- [IP] – 45.76.93[.]204:56001, 91.202.5[.]80:52030, 172.93.201[.]248:8083, 172.93.201[.]248:52390, 23.236.181[.]108:52390
- [File name / DLL / EXE] – NsiService.exe, GBIA.exe, GBIC.exe, GPIA.dll, svc4615.dll, svc7014.dll, ad54.dat, mtms1929.dll, rtm8668.dll
- [PDB] – E:_WORKMy_WorkExploitSpyware_spyRATRFT_Socket_V3.2Releaserft.pdb
- [URL] – hxxps://prohomepage[.]net/index.php, hxxp://brhosting[.]net/index.php, hxxps://topspace[.]org/index.php
- [C2 / IP] – 45.76.93.204:56001, 91.202.5.80:52030, 172.93.201.248:8083, 172.93.201.248:52390, 23.236.181.108:52390
Read more: https://asec.ahnlab.com/en/59590/