Malware Disguised as Installer from Korean Public Institution (Kimsuky Group) – ASEC BLOG

AhnLab SEcurity intelligence Center (ASEC) recently discovered the Kimsuky group distributing malware disguised as an installer from a Korean public institution. The malware in question is a dropper that creates the Endoor backdoor, which was also used in the attack covered in the previous post, “TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)”. [1]

While there are no records of the dropper being used in actual attacks, there was an attack case that involved the backdoor created by the dropper at around the same period as when the dropper was collected. The threat actor used the backdoor to download additional malware or install screenshot-taking malware. Endoor is constantly employed in other attacks as well; in the past, it has been used alongside Nikidoor, which is distributed via spear phishing attacks.

1. Dropper Disguised as Installer from Korean Public Institution

The dropper was disguised as an installer for a certain public institution in South Korea. It used the logo of the institution for its icon, and relevant keywords could be found in the version information and setup page. To add on, there is no legitimate program with a version identical to this. This suggests that the malware was simply made to look like any other legitimate program with no intention of disguising itself as an existing program. Even in the installation process, the malware is the only program that is installed in a normal way.

Figure 1. Malware disguised as a program from Korean public institution

The dropper fabricated its version information and is also signed with a valid certificate from a Korean company. When the dropper is executed, it creates a compressed file named “src.rar” and the tool WinRAR under the name “unrar.exe” that were inside the dropper. Afterward, it uses WinRAR to decompress the file with the password “1q2w3e4r” to create and execute the backdoor.

Figure 2. Dropper’s process tree

2. Endoor Backdoor

The dropper executes the backdoor with the argument “install”. Given the argument, the backdoor copies itself into the “%USERPROFILE%svchost.exe” path and registers itself to the Task Scheduler under the name “Windows Backup”. The Task Scheduler executes the backdoor with the “backup” argument, after which the backdoor accesses the C&C server to be ready to receive commands.

The backdoor is developed in Golang and is obfuscated, but it is the same type as the one found in the previous case. It was signed with the same certificate as TrollAgent covered in the post “TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)”. In this post, it is classified as Endoor because it contains the following keyword.

Figure 3. Endoor backdoor developed in Golang – previous version

Endoor is a backdoor that sends basic information about the infected system, with features such as command execution, file upload and download, process-related tasks, and Socks5 proxy. QiAnXin China’s Threat Intelligence Center released a detailed analysis of this malware in the past, although it was not separately classified. [2]

3. Attack Case #1

The AhnLab Smart Defense (ASD) infrastructure showed a record of Endoor having been used in an attack, but it is not certain whether the backdoor was installed using the dropper covered above or through a different route. The following logs are presumed to show the Kimsuky group updating Endoor to another binary. It was downloaded from an external source using Curl, under the name “rdpclip.dat”. While the file was not identified, because the “install” argument was given upon execution and also the file size, it is believed to be a different version of Endoor.

Figure 4. Logs of Endoor being downloaded using Curl – Presumed

Aside from these, the threat actor installed Mimikatz in the “%ALLUSERSPROFILE%cache.exe” path before using it, and the argument “sekurlsa::logonpasswords” was identified in the execution logs shown below.

Figure 5. Stealing account credentials from the infected system using Mimikatz

Among the installed malware, there is one that captures and exfiltrates screenshots from the infected systems. This malware was created using Kbinani’s screenshot library [3], and the threat actor implemented the feature of taking screenshots and even leaking them. The exfiltration address is a local host (“hxxp://127.0.0.1:8080/recv”). This may signify that the threat actor already installed a proxy in the infected system and is using this to exfiltrate data to an external source.

Figure 6. Source code information of the screenshot-taking malware

4. Attack Case #2 (Nikidoor)

The recently distributed Endoor uses “ngrok-free[.]app” for its C&C server, which is Ngrok’s free domain address. After the case above was identified in February 2024, the version of Endoor that was additionally discovered in March 2024 also used the same arguments “install” and “backup” and “ngrok-free[.]app” as the C&C server.

Figure 7. Endoor’s C&C communications packet

Additionally, the address above was also used to distribute Nikidoor, which shares the C&C server address as well. Nikidoor is a backdoor used by the Kimsuky group and was mentioned in the post “Kimsuky Targets South Korean Research Institutes with Fake Import Declaration” [4]. This backdoor can steal information about the infected system and perform malicious actions through the commands it receives like other malware such as AppleSeed and Endoor. It is notable for its repeated use of “Niki” in the PDB path.

  • PDB path: C:UsersnikiDownloadsTroyDll.._BinDll.pdb

5. Conclusion

Recently, we have been continuously observing the Kimsuky group distributing malware signed with a valid certificate from a Korean company. The threat actor installs a backdoor at the last stage of the attack and can use this to extort information about the users in the infected systems.

Given this information, users must update V3 to the latest version to prevent malware infection.

File Detection
– Dropper/Win.Endoor.C5593202 (2024.02.25.01)
– Backdoor/Win.Endoor.C5593201 (2024.02.25.01)
– Backdoor/Win.KimGoBack.C5385331 (2024.02.20.03)
– Backdoor/Win.Endoor.C5598434 (2024.03.09.00)
– Backdoor/Win.Nikidoor.C5598774 (2024.03.10.00)

Behavior Detection
– Execution/MDP.Event.M18

IoC
MD5

– b74efd8470206a20175d723c14c2e872: Dropper – Signed with a legitimate certificate (*App.exe)
– 7034268d1c52539ea0cd48fd33ae43c4: Endoor (svchost.exe)
– f03618281092b02589bca833f674e8a0: Screenshot grabber (ag.dat)
– b8ffb0b5bc3c66b7f1b0ec5cc4aadafc: Endoor – Additionally identified (eng.db)
– 7beaf468765b2f1f346d43115c894d4b : Nikidoor (c.pdf)

C&C URLs
– hxxps://real-joey-nicely.ngrok-free[.]app/mir/index.php: Endoor
– hxxps://fitting-discrete-lemur.ngrok-free[.]app/minish/index.php: Endoor – Additionally identified
– hxxp://minish.wiki[.]gd/index.php: Endoor – Additionally identified, Nikidoor
– hxxp://minish.wiki[.]gd/upload.php : Nikidoor

Download URLs
– hxxp://210.16.120[.]210/rdpclip.dat: For downloading Endoor (Presumed)
– hxxp://minish.wiki[.]gd/eng.db: Endoor – Additionally identified
– hxxp://minish.wiki[.]gd/c.pdf : Nikidoor

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

MITRE TTP :

  1. Tactic: Initial Access (TA0001)
    • Technique: Spearphishing Attachment (T1566.001): The group uses spear phishing emails to deliver malware, such as the dropper disguised as an installer from a Korean public institution.
  2. Tactic: Execution (TA0002)
    • Technique: Command and Scripting Interpreter (T1059): The group uses PowerShell scripts for execution, as seen in the use of Curl to download additional malware.
    • Technique: User Execution (T1204): The malware relies on the user executing the dropper, which is disguised as a legitimate installer.
  3. Tactic: Persistence (TA0003)
    • Technique: Scheduled Task/Job: Scheduled Task (T1053.005): The Endoor backdoor registers itself to the Task Scheduler to maintain persistence on the infected system.
  4. Tactic: Defense Evasion (TA0005)
    • Technique: Obfuscated Files or Information (T1027): The malware uses obfuscation techniques, such as encrypting the payload with a password.
    • Technique: Valid Accounts: Code Signing (T1078.001): The dropper is signed with a valid certificate from a Korean company to evade detection.
  5. Tactic: Credential Access (TA0006)
    • Technique: OS Credential Dumping: LSASS Memory (T1003.001): The group uses Mimikatz to steal account credentials from the infected system.
  6. Tactic: Collection (TA0009)
    • Technique: Screen Capture (T1113): The group installs screenshot-taking malware to capture and exfiltrate screenshots from the infected system.
  7. Tactic: Command and Control (TA0011)
    • Technique: Application Layer Protocol: Web Protocols (T1071.001): The backdoor communicates with the C&C server using HTTP.
    • Technique: Proxy: External Proxy (T1090.002): The group may use a proxy installed on the infected system to exfiltrate data.
  8. Tactic: Exfiltration (TA0010)
    • Technique: Exfiltration Over Web Service (T1567): Data is exfiltrated to a local host, which may indicate the use of a proxy to send data to an external source.

Source: https://asec.ahnlab.com/en/63396/