Researchers in South Korea have discovered a fresh wave of activity from the Kimsuky hacking organization, employing commodity open-source remote access tools distributed with their own backdoor, Gold Dragon. Kimsuky, also known as TA406, is a North Korean state-sponsored hacker group that has been actively engaging in cyber-espionage efforts since 2017. The organization has shown amazing operational adaptability and threat activity diversity, participating in malware distribution, phishing, data harvesting, and even cryptocurrency theft.
Beginning in January 2021, TA406 began delivering malware payloads through phishing emails that led to 7z archives. These archives contained an EXE file with a double extension that made it appear to be a .HTML file. If the file is opened, it will launch a scheduled activity called "Twitter Alarm," which will allow the actors to drop new payloads every 15 minutes. When run, the EXE opens a web browser to a PDF version of a valid NK News item housed on the actor's infrastructure, hoping to fool the victim into thinking they're reading a post on a news site.
Kimsuky used xRAT in targeted assaults against South Korean entities in the most recent campaign, as discovered by experts at ASEC (AhnLab). The campaign began on January 24, 2022. xRAT is a free and open-source remote access and administration program that may be downloaded from GitHub. Keylogging, remote shell, file manager operations, reverse HTTPS proxy, AES-128 communication, and automated social engineering are among the functions provided by the malware.
A sophisticated threat actor may choose to deploy commodity RATs for basic reconnaissance activities and do not require much configuration. This enables threat actors to concentrate their efforts on designing later-stage malware that necessitates more specialized functionality dependent on the security tools/practices available on the target.
Kimsuky often deploys Gold Dragon as a second-stage backdoor after a fileless PowerShell-based first-stage assault that employs steganography. This malware has been recorded in a 2020 report by Cybereason and a 2021 analysis by Cisco Talos researchers, therefore it is not new. However, as ASEC describes in its study, the variation found in this latest campaign has additional functions such as the exfiltration of basic system information.
The malware no longer leverages system processes for this operation, instead installs the xRAT tool to manually steal the required information. The RAT disguises itself as an executable called cp1093.exe, which copies a regular PowerShell process (powershell_ise.exe) to the “C:\ProgramData\” path and executes via process hollowing.