On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware.
- xRAT Github Address: https://github.com/tidusjar/xRAT
According to the logs collected by AhnLab’s ASD (AhnLab Smart Defense) infrastructure, the attacker installed a variant of Gold Dragon on the first infected PC on January 24th. The basis for assuming that the obtained file is a variant of Gold Dragon is as follows:
- Injection method is same as the method used by the original Gold Dragon (behavior of process hollowing on iexplore.exe, svchost.exe,etc.)
- Feature of terminating AhnLab product’s real-time detection window class (49B46336-BA4D-4905-9824-D282F05F6576)
- Termination of Daum Cleaner (daumcleaner.exe) process
The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.
The installed Gold Dragon has 4 export functions.
- Perform
- Process
- Start
- Work
The installer first executes Gold Dragon by giving the “Start” argument. Once the “Start” export function is executed, Gold Dragon copies itself to a certain path and registers the copied DLL to the autorun registry key. The “Perform” export function is given for DLL execution argument.

It is assumed that the info leaking feature of the variant that was discovered was modularized. The system information acquisition command execution feature that is mainly used by Gold Dragon did not exist in the Gold Dragon variant. This means that additional payloads can be downloaded from the attacker’s server to obtain system information.
- cmd.exe /c ipconfig/all >>”%s” & arp -a >>”%s”
- cmd.exe /c systeminfo >>”%s”
- cmd.exe /c tasklist >>”%s”
The attacker does not obtain information through system processes, but instead additionally installs xRAT (Filename: cp1093.exe) that allows remote control of the system to the infected PC to perform info-stealing features. Once cp1093.exe is executed, it copies a normal powershell process (powershell_ise.exe) to the “C:\ProgramData\”path and executes xRAT via process hollowing technique.

The attacker was also meticulous enough to also distribute an additional file (UnInstall_kr5829.co.in.exe) along with xRAT to delete the traces of attack existing in the target PC.

AhnLab is constantly monitoring and responding to such APT attacks, and users should refrain from opening attachments from emails from unknown sources and update the security software to the latest version to prevent damage by information leakage.
[IOC]
[Installer]
Installer_sk5621.com.co.exe (40b428899db353bb0ea244d95b5b82d9)
Alias (Engine Version): Downloader/Win.Akdoor.C4936791 (2022.01.28.02)
[Gold Dragon]
glu32.dll (4ea6cee3ecd9bbd2faf3af73059736df)
Alias (Engine Version): Backdoor/Win.Akdoor.C4936792 (2022.01.28.02)
C&C : https[:]//sk5621.com[.]co
[xRAT]
cp1093.exe (070f0390aad17883cc8fad2dc8bc81ba)
Alias (Engine Version): Backdoor/Win.XRat.C4936798 (2022.01.28.02)
C&C : 45.77.71[.]50:8082
[Uninstaller]
UnInstall_kr5829.co.in.exe (b841d27fb7fee74142be38cee917eda5)
Alias (Engine Version): Trojan/Win.Akdoor.C4936809 (2022.01.28.02)
Categories:Malware Information
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] “The attacker put in Gold Dragon via the unique installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed within the type of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” within the %temp% path, then executes it through rundll32.exe.” – ASEC. […]
[…] „Der Angreifer hat Gold Dragon über das exklusive Installationsprogramm (installer_sk5621.com.co.exe) installiert. Der Installer lädt Gold Dragon komprimiert in Form einer Gzip-Datei vom Server des Angreifers herunter, dekomprimiert sie als „in[random 4 numbers].tmp“ im %temp%-Pfad und führt es dann über rundll32.exe aus.“ – EINE SEKUNDE. […]
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] „Der Angreifer hat Gold Dragon über das exklusive Installationsprogramm (installer_sk5621.com.co.exe) installiert. Der Installer lädt Gold Dragon komprimiert in Form einer Gzip-Datei vom Server des Angreifers herunter, dekomprimiert sie als „in[random 4 numbers].tmp“ im %temp%-Pfad und führt es dann über rundll32.exe aus.“ – EINE SEKUNDE. […]
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] “El atacante instaló Gold Dragon a través del instalador exclusivo (installer_sk5621.com.co.exe). El instalador descarga Gold Dragon comprimido en forma de archivo Gzip del servidor del atacante, lo descomprime como «en[random 4 numbers].tmp” en la ruta %temp%, luego lo ejecuta a través de rundll32.exe”. – UN SEGUNDO. […]
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] Korean cybersecurity firm AhnLabs published the findings in a new report Tuesday, which states that hackers linked to the Pyongyang-backed Kimsuky group began distributing […]
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] 1.KimsukyグループのxRAT*(Qasar RAT)の配布が確認されました。引用:https://asec.ahnlab.com/en/31089/ […]
[…] Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed […]
[…] peneliti ASEC, Kimsuky menggunakan varian Naga Emas pintu belakang kustom mereka. Ini adalah pintu belakang tahap […]
[…] + mehr hier sehen […]
[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]
[…] Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed Attack Cases of CoinMiners Mining Ethereum Classic Coins […]
[…] Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed Attack Cases of CoinMiners Mining Ethereum Classic Coins […]