VNC Malware (TinyNuke, TightVNC) Used by Kimsuky Group

While monitoring Kimsuky-related malware, the ASEC analysis team has recently discovered that VNC malware was installed via AppleSeed remote control malware.

VNC, also known as Virtual Network Computing, is a screen sharing system that remotely controls other computers. Similar to the commonly-used RDP, it is used to remotely access and control other systems.

Kimsuky group installs AppleSeed backdoor on the target system after the initial compromise, then additionally installs VNC malware via AppleSeed to ultimately control the target system in a graphical environment. One of the VNC malware that is installed is TinyNuke.

1. TinyNuke (HVNC)

TinyNuke, also known as Nuclear Bot, is a banking malware discovered in 2016, and it includes features such as HVNC (HiddenDesktop/VNC), reverse SOCKS4 proxy, and form grabbing. Due to its source code revealed in 2017, TinyNuke is used by various attackers, and the HVNC feature is partially borrowed by other malware such as AveMaria and BitRAT.

Among the various features of TinyNuke that are being distributed, only the HVNC feature is enabled. A difference between normal VNC and HVNC used by TinyNuke is that the user does not realize that the PC is infected and its screen is being controlled. The following shows the process tree when HVNC is enabled.

Figure 1. Process tree upon using HVNC

explorer.exe (PID: 3140) is the child process of explorer.exe (PID: 2216), and is found in the process tree. The attacker is able to control the screen via the new explorer.exe (PID: 3140), and the GUI (Graphical user interface) of the process created while the attacker is controlling the target PC is not visible on the target PC screen. This type of VNC remote access is called HVNC (Hidden Virtual Network Computing).

Another characteristic is that it uses the reverse VNC method. VNC consists of a server and a client. It installs the VNC server on the control target system, and the user who wishes to control the system remotely uses the VNC client. It gains control of the VNC client by going through the VNC server installed on the remote control target system.

In a normal VNC environment, it attempts to access the remote control target (VNC server) via the VNC client. However, HVNC of TinyNuke attempts to access the client from the server with the reverse VNC feature. This means that when HVNC of the infected system is run, the awaiting attacker accesses the designated C&C server and uses the VNC client (server for HVNC) on the C&C server to gain remote control. It is assumed that this is to bypass firewalls such as Reverse Shell that blocks internal access from the outside and to support communication in a private IP environment.

Figure 2. Attacker’s HVNC screen

Note that TinyNuke uses “AVE_MARIA” string for verification when establishing HVNC communication between the server and the client. This means that when “AVE_MARIA” string is sent from the HVNC client to the server, the server verifies the name, and HVNC communication can be enabled if “AVE_MARIA” is correct.

Figure 3. AVE_MARIA string used in HVNC

This is identical to that of HVNC used by Kimsuky group, however, recently there have been HVNCs using “LIGHT’s BOMB” string.

Figure 4. “LIGHT’S BOMB” string used in place of AVE_MARIA

2. TightVNC (VNC)

Another VNC malware distributed via AppleSeed backdoor is TightVNC. TightVNC is an open-source VNC utility, and the attacker customizes it to use it. TightVNC can be regarded as a normal VNC utility, but it is different in that it supports the reverse VNC feature discussed earlier.

TightVNC consists of tvnserver.exe, the server module, and tvnviewer.exe, the client module. In a normal environment, it installs tvnserver on the remote control target and accesses the target using tvnviewer in the user environment. In order to use the reverse VNC feature, it runs tvnviewer as a listening mode on the client, then uses tvnserver that is installed as a service on the access target system to set the client address using controlservice and connect commands for access gain.

Kimsuky group distributes tvnserver, and it is customized so that the reverse VNC feature can be used in the infected environment without installing a service. Simply running tvnserver will allow the attacker to access tvnviewer that operates on the C&C server and gain control of the screen of the infected system.

Figure 5. Reverse VNC communication using tvnviewer

3. Conclusion

As introduced in the previous blog post, Kimsuky group uses AppleSeed to install Meterpreter, a different backdoor malware, and uses TinyNuke, TightVNC and RDP Wrapper for screen control. There is also evidence of the use of Mimikatz for account info-stealing.

FeatureTool Name
Remote ControlAppleSeed, Meterpreter
Screen ControlTinyNuke, TightVNC, RDP Wrapper
Account Info-stealingPowerkatz
Table 1. Recently-found attack tools used by Kimsuky group

Kimsuky group’s malware trend is being monitored constantly, and users need to take extra caution when opening attachments in emails from unknown sources and refrain from visiting untrusted websites.

  • Alias Information

Trojan/Win.VNC (2021.09.16.00)
Trojan/Win.TinyNuke (2021.09.16.03)
Trojan/Win.HVNC (2021.09.18.01)

  • IOC







Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

4 2 votes
Article Rating
Inline Feedbacks
View all comments