Kimsuky, a North Korea–sponsored threat group, leverages spearphishing and a suite of backdoors, infostealers, and remote-control tools to gain access and exfiltrate data from targets. The operation prominently relies on RDP and related tools (including RDP wrappers, VNC, and Chrome Remote Desktop) to maintain control, with newer malware like RevClient and BabyShark variants driving ongoing intrusions. #Kimsuky #BabyShark #RevClient #ChromeRemoteDesktop #RDPWrapper #xRAT
Keypoints
- Kimsuky conducts spear-phishing attacks targeting national defense, diplomatic, academic sectors, and associated industries to gain initial access.
- After access, the group deploys backdoors and Infostealers (e.g., BabyShark components) and uses legitimate tools to control infected systems.
- Remote control is predominantly via Remote Desktop Protocol (RDP); in environments without RDP, RDP Wrapper and related tools are used to enable access and multiple sessions.
- New malware like RevClient and injector variants (e.g., desktop.r7u, process.exe) are added to extend capabilities and persistence, including port forwarding and account management.
- BabyShark modules include k.ps1 (a keylogger) and OneNote.vbs (which executes k.ps1); other loaders and injectors (pow.ps1, desktop.r3u) are involved.
- The attackers frequently modify C2 addresses and use Base64-encoded configuration data to control and retrieve commands and exfiltrated data.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Used to gain initial access via targeted emails; “the group usually launches spear phishing attacks on the national defense, diplomatic, and academic sectors”.
- [T1059.001] PowerShell – Deploys k.ps1 as a keylogger and uses PowerShell-based components; “k.ps1, a keylogger, and the file ‘OneNote.vbs’ which executes ‘k.ps1’.”
- [T1059.007] VBScript – Uses VBScript (OneNote.vbs) to execute PowerShell payloads; “OneNote.vbs which executes ‘k.ps1’.”
- [T1021.001] Remote Services – Primary remote-control method is RDP; “The most commonly used method for remote control is Remote Desktop Protocol (RDP).”
- [T1036] Masquerading – Tricks by renaming or disguising modules; “the file name of termsrv.dll to termsrv.pdb” and related patching to bypass session limits.
- [T1136] Create Account – Adds a new admin user (IIS_USER) to control the infected system; “an account named ‘IIS_USER’ is created and added to the admin group.”
- [T1055] Process Injection – Injects into legitimate processes via injector components (e.g., desktop.r7u and process.exe); “the injector” and “injecting into ‘MSBuild.exe’.”
- [T1027] Obfuscated/Compressed Files and Information – Encodes configuration and commands in Base64; “AllSettings encrypted in Base64.”
Indicators of Compromise
- [IP] context – 5.61.59[.]53 – RevClient C2 host address used for command and control.
- [Domain] context – onessearth.online, powsecme.co – C2 domains associated with BabyShark operations.
- [MD5] context – Keylogger/Loader/Injector hashes – ad9a3e893abdac7549a7d66ca32142e8, 116a71365b83cc38211ccfc8059b363e and 7 more hashes.
- [File Name] context – k.ps1, OneNote.vbs – Keylogger and loader components used in the infection chain.
Read more: https://asec.ahnlab.com/en/57873/