A North Korean state-sponsored hacking group, Kimsuky, aka TA406, has demonstrated operational versatility with various malware distribution, phishing, data collection, and cryptocurrency theft campaigns. Recently, Kimsuky has been found using open-source remote access tools to deploy their custom backdoor.
Unleashing Gold Dragon with xRAT
ASEC researchers have identified that the latest campaign started on January 24 and is still ongoing against South Korean entities.
The Kimsuky group launches a file-less PowerShell-based first-stage attack that leverages steganography.
The second-stage backdoor is a custom Gold Dragon variant. Gold Dragon installs xRAT (Quasar RAT-based open-source RAT) malware via process hollowing technique for basic reconnaissance operations.
xRAT is a commodity RAt that allows remote control of the system to perform info-stealing.
Further, Kimsuky attempts to disable real-time detection features in ASEC’s AhnLab AV products and distributes an additional file (UnInstall_kr5829.co.in.exe) to delete the traces of attack from the target PC.
Scam, spy, and steal theory
Since its emergence, Kimsuky has used everything from sextortion to espionage, including legitimate services for financial gains to target South Korean entities.
Throughout 2021, the group had launched frequent credential theft campaigns targeting research, education, government, non-governmental, journalists, foreign policy experts, media, and other organizations.
It deployed a constantly evolving set of implants derived from the Gold Dragon/Brave Prince family of implants to target high-value South Korean geopolitical and aerospace research agencies.
Kimsuky is a highly motivated hacking group that has recently introduced some minor tweaks, as well as adapted new commodity tools with similar anti-analysis and periodic time-based C&C calls to steal and exfiltrate data. Earlier its campaigns were low in volume but its recent persistence in attacks is worrisome for the targeted organizations.