Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed

On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware.

• xRAT Github Address: https://github.com/tidusjar/xRAT

According to the logs collected by AhnLab’s ASD (AhnLab Smart Defense) infrastructure, the attacker installed a variant of Gold Dragon on the first infected PC on January 24th. The basis for assuming that the obtained file is a variant of Gold Dragon is as follows:

• Injection method is same as the method used by the original Gold Dragon (behavior of process hollowing on iexplore.exe, svchost.exe,etc.)
• Feature of terminating AhnLab product’s real-time detection window class (49B46336-BA4D-4905-9824-D282F05F6576)
• Termination of Daum Cleaner (daumcleaner.exe) process

The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.

The installed Gold Dragon has 4 export functions.

• Perform
• Process
• Start
• Work

The installer first executes Gold Dragon by giving the “Start” argument. Once the “Start” export function is executed, Gold Dragon copies itself to a certain path and registers the copied DLL to the autorun registry key. The “Perform” export function is given for DLL execution argument.

It is assumed that the info leaking feature of the variant that was discovered was modularized. The system information acquisition command execution feature that is mainly used by Gold Dragon did not exist in the Gold Dragon variant. This means that additional payloads can be downloaded from the attacker’s server to obtain system information.

• cmd.exe /c ipconfig/all >>”%s” & arp -a >>”%s”
• cmd.exe /c systeminfo >>”%s”
• cmd.exe /c tasklist >>”%s”

The attacker does not obtain information through system processes, but instead additionally installs xRAT (Filename: cp1093.exe) that allows remote control of the system to the infected PC to perform info-stealing features. Once cp1093.exe is executed, it copies a normal powershell process (powershell_ise.exe) to the “C:\ProgramData\”path and executes xRAT via process hollowing technique.

The attacker was also meticulous enough to also distribute an additional file (UnInstall_kr5829.co.in.exe) along with xRAT to delete the traces of attack existing in the target PC.

AhnLab is constantly monitoring and responding to such APT attacks, and users should refrain from opening attachments from emails from unknown sources and update the security software to the latest version to prevent damage by information leakage.

[IOC]

[Installer]
Installer_sk5621.com.co.exe (40b428899db353bb0ea244d95b5b82d9)
Alias (Engine Version): Downloader/Win.Akdoor.C4936791 (2022.01.28.02)

[Gold Dragon]
glu32.dll (4ea6cee3ecd9bbd2faf3af73059736df)
Alias (Engine Version): Backdoor/Win.Akdoor.C4936792 (2022.01.28.02)
C&C : https[:]//sk5621.com[.]co

[xRAT]
cp1093.exe (070f0390aad17883cc8fad2dc8bc81ba)
Alias (Engine Version): Backdoor/Win.XRat.C4936798 (2022.01.28.02)
C&C : 45.77.71[.]50:8082

[Uninstaller]
UnInstall_kr5829.co.in.exe (b841d27fb7fee74142be38cee917eda5)
Alias (Engine Version): Trojan/Win.Akdoor.C4936809 (2022.01.28.02)