Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed

On January 26th, 2022, the ASEC analysis team has discovered that the Kimsuky group was using the xRAT (Quasar RAT-based open-source RAT) malware.

According to the logs collected by AhnLab’s ASD (AhnLab Smart Defense) infrastructure, the attacker installed a variant of Gold Dragon on the first infected PC on January 24th. The basis for assuming that the obtained file is a variant of Gold Dragon is as follows:

  • Injection method is same as the method used by the original Gold Dragon (behavior of process hollowing on iexplore.exe, svchost.exe,etc.)
  • Feature of terminating AhnLab product’s real-time detection window class (49B46336-BA4D-4905-9824-D282F05F6576)
  • Termination of Daum Cleaner (daumcleaner.exe) process

The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.

The installed Gold Dragon has 4 export functions.

  • Perform
  • Process
  • Start
  • Work

The installer first executes Gold Dragon by giving the “Start” argument. Once the “Start” export function is executed, Gold Dragon copies itself to a certain path and registers the copied DLL to the autorun registry key. The “Perform” export function is given for DLL execution argument.

Figure 1. Path for registry registration and self-copy

It is assumed that the info leaking feature of the variant that was discovered was modularized. The system information acquisition command execution feature that is mainly used by Gold Dragon did not exist in the Gold Dragon variant. This means that additional payloads can be downloaded from the attacker’s server to obtain system information.

  • cmd.exe /c ipconfig/all >>”%s” & arp -a >>”%s”
  • cmd.exe /c systeminfo >>”%s”
  • cmd.exe /c tasklist >>”%s”

The attacker does not obtain information through system processes, but instead additionally installs xRAT (Filename: cp1093.exe) that allows remote control of the system to the infected PC to perform info-stealing features. Once cp1093.exe is executed, it copies a normal powershell process (powershell_ise.exe) to the “C:\ProgramData\”path and executes xRAT via process hollowing technique.

Figure 2. xRAT malware

The attacker was also meticulous enough to also distribute an additional file (UnInstall_kr5829.co.in.exe) along with xRAT to delete the traces of attack existing in the target PC.

Figure 3. Code related to deletion of traces of infection

AhnLab is constantly monitoring and responding to such APT attacks, and users should refrain from opening attachments from emails from unknown sources and update the security software to the latest version to prevent damage by information leakage.

[IOC]

[Installer]
Installer_sk5621.com.co.exe (40b428899db353bb0ea244d95b5b82d9)
Alias (Engine Version): Downloader/Win.Akdoor.C4936791 (2022.01.28.02)

[Gold Dragon]
glu32.dll (4ea6cee3ecd9bbd2faf3af73059736df)
Alias (Engine Version): Backdoor/Win.Akdoor.C4936792 (2022.01.28.02)
C&C : https[:]//sk5621.com[.]co

[xRAT]
cp1093.exe (070f0390aad17883cc8fad2dc8bc81ba)
Alias (Engine Version): Backdoor/Win.XRat.C4936798 (2022.01.28.02)
C&C : 45.77.71[.]50:8082

[Uninstaller]
UnInstall_kr5829.co.in.exe (b841d27fb7fee74142be38cee917eda5)
Alias (Engine Version): Trojan/Win.Akdoor.C4936809 (2022.01.28.02)

5 2 votes
Article Rating
guest
18 Comments
Inline Feedbacks
View all comments
trackback

[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]

trackback

[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]

trackback

[…] “The attacker put in Gold Dragon via the unique installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed within the type of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” within the %temp% path, then executes it through rundll32.exe.” – ASEC. […]

trackback

[…] „Der Angreifer hat Gold Dragon über das exklusive Installationsprogramm (installer_sk5621.com.co.exe) installiert. Der Installer lädt Gold Dragon komprimiert in Form einer Gzip-Datei vom Server des Angreifers herunter, dekomprimiert sie als „in[random 4 numbers].tmp“ im %temp%-Pfad und führt es dann über rundll32.exe aus.“ – EINE SEKUNDE. […]

trackback

[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]

trackback

[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]

trackback

[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]

trackback

[…] „Der Angreifer hat Gold Dragon über das exklusive Installationsprogramm (installer_sk5621.com.co.exe) installiert. Der Installer lädt Gold Dragon komprimiert in Form einer Gzip-Datei vom Server des Angreifers herunter, dekomprimiert sie als „in[random 4 numbers].tmp“ im %temp%-Pfad und führt es dann über rundll32.exe aus.“ – EINE SEKUNDE. […]

trackback

[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]

trackback

[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]

trackback

[…] “El atacante instaló Gold Dragon a través del instalador exclusivo (installer_sk5621.com.co.exe). El instalador descarga Gold Dragon comprimido en forma de archivo Gzip del servidor del atacante, lo descomprime como «en[random 4 numbers].tmp” en la ruta %temp%, luego lo ejecuta a través de rundll32.exe”. – UN SEGUNDO. […]

trackback

[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]

trackback

[…] Korean cybersecurity firm AhnLabs published the findings in a new report Tuesday, which states that hackers linked to the Pyongyang-backed Kimsuky group began distributing […]

trackback

[…] “The attacker installed Gold Dragon through the exclusive installer (installer_sk5621.com.co.exe). The installer downloads Gold Dragon compressed in the form of a Gzip file from the attacker’s server, decompresses it as “in[random 4 numbers].tmp” in the %temp% path, then executes it via rundll32.exe.” – ASEC. […]

trackback

[…] 1.KimsukyグループのxRAT*(Qasar RAT)の配布が確認されました。引用:https://asec.ahnlab.com/en/31089/ […]

trackback

[…] Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed […]

trackback

[…] peneliti ASEC, Kimsuky menggunakan varian Naga Emas pintu belakang kustom mereka. Ini adalah pintu belakang tahap […]

trackback

[…] + mehr hier sehen […]