Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)

1. Overview

The Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014. Cases of attacks against countries other than South Korea have also been identified since 2017. [1] The group usually employs spear phishing attacks against the national defense sector, defense industries, the press, the diplomatic sector, national organizations, and academic fields to steal internal information and technology from organizations. [2] (This link is only available in Korean.)

Even until recently, the Kimsuky group was still mainly employing spear phishing attacks to gain initial access. What makes the recent attacks different from the previous cases is that more LNK shortcut-type malware are being used instead of malware in Hangul Word Processor (HWP) or MS Office document format. The threat actor led users to download a compressed file through attachments or download links within spear phishing emails. When this compressed file is decompressed, it yields a legitimate document file along with a malicious LNK file.

ASEC is monitoring the Kimsuky group’s attacks using LNK-type malware and is continuously posting identified cases of attacks on the ASEC Blog. The Kimsuky group installs remote control malware to control the infected system after completing such steps to gain initial access. Malware used by the Kimsuky group not only include custom-made such as AppleSeed and PebbleDash [3], but also open-source or commercial malware such as XRat [4], HVNC [5], Amadey [6], and Metasploit Meterpreter [7]. After gaining control, the threat actor ultimately uses RDP or installs Google’s Chrome Remote Desktop [8] to exfiltrate information from the infected system.

Here we analyze Amadey and RftRAT which were recently found being distributed. Amadey and RftRAT were constantly used throughout 2023 alongside XRat. However, recent types showed that they were created with AutoIt. This post also covers Infostealers additionally installed by the Kimsuky group using remote control malware. While remote control-type malware continuously change, the malware installed through these have not changed much in the attacks in 2023.

2. Initial Access

2.1. Spear Phishing Attack

In the year 2023, ASEC covered cases of LNK malware distribution in posts such as “Malicious LNK File Disguised as a Normal HWP Document” [9], “Malicious LNK File Being Distributed, Impersonating the National Tax Service” [10], and “Distribution of Malicious LNK File Disguised as Producing Corporate Promotional Materials” [11].

By attaching files or including download links in the emails, the threat actor prompted users to download the compressed file and execute the LNK shortcut file inside.

2.2. LNK Malware

The LNK file contains an encrypted compressed file, which in turn holds various malware in script format.

Executing the LNK file decompresses the file, and ultimately, the script malware is run. The BAT and VBS scripts inside can either be used for executing other scripts or contain an Infostealer responsible for collecting and exfiltrating information from the infected system. There is also a script for maintaining persistence as well as a downloader that downloads and executes additional payloads from an external source.

As such, malware in script format that run in infected systems install additional malware from an external source, major examples of which are backdoors called XRat, Amadey, and RftRAT. While these malware are all packed with VMP when in distribution, recently, Amadey and RftRAT variants created with AutoIt have been used. After a remote control malware is installed, keyloggers and Infostealers are installed to steal internal information and technology from the organizations.

3. Remote Control Malware

3.1. XRat (QuasarRAT)

XRat is a RAT malware developed in .NET and was created based on QuasarRAT published on GitHub. It was confirmed that the Kimsuky group was using XRat from a much earlier point in time. Recently, instead of in independent executable or DLL file formats, this is being used in attacks as an encrypted payload. It consists of the file “ht.dll” which is the loader, the data file “htsetting.ini” holding the configuration data, and an encrypted payload. This method seems to be for the purpose of bypassing security products.

The loader reads, decrypts, and injects the htsetting.ini file located in the same path. All ht.dll loaders identified so far were packed with VMP, and the decrypted binary contained the following strings used by the threat actor.

The configuration file contains the name of the actual encrypted malware, the RC4 decryption key, and information on the legitimate file to inject into. Ht.dll references this information to read and decrypt the encrypted file before injecting it into a legitimate process. The payload that is injected and run in the end can be another malware besides XRat, depending on the encrypted file.

3.2. Amadey

The Kimsuky group also used Amadey Bot in their attacks. Amadey is a malware that began being sold on illegal forums. It is a downloader that installs additional malware from the C&C server. Besides such downloader features, it can also transmit basic information about the system or exfiltrate screenshots and account credentials saved in web browsers and email clients depending on the settings or whether certain plugins are installed.

The Kimsuky group uses a dropper to install Amadey. This dropper, in DLL format, creates a randomly named hidden folder in the %PUBLIC% path where it drops the files it holds. The compressed file containing the actual Amadey is among the created files, and examining the compression size shows this file to be large, exceeding 300 MB. This is also presumed to be an attempt to evade security products by intentionally increasing the size.

Afterward, it creates the path “%ALLUSERSPROFILE%\Startup” and registers it to the Startup folder. Here, a script named “svc.vbs” is created, which is responsible for maintaining persistence. Amadey, which is loaded and executed through the Rundll32.exe process, goes through svchost.exe before being injected into the iexplore.exe process and run.

Even in 2023, the threat actor installed Amadey in many of their attacks, and in most instances, it was installed by the same type of dropper. Said dropper also included RftRAT besides Amadey. RftRAT, like Amadey, also has a file size exceeding 300 MB.

The RftRAT instances identified in these attacks were all packed with VMP like Amadey and were found to contain the keyword “RFTServer” in the decrypted strings. RftRAT is a backdoor that can receive commands from the C&C server and execute them.

3.3. Latest Attack Cases

It was recently identified that the Kimsuky group has been using AutoIt to create malware. The Kimsuky group ported Amadey which had been used from the past to AutoIt and also used it for the purpose of injecting RftRAT.

In past attack cases, only the debug string RFTServer was found, but in recent attacks, a malware containing a PDB path was found. The string within the PDB path shows that the threat actor named this malware “rft” as a RAT type. Accordingly, said malware is categorized as “RftRAT” here.

• PDB String: E:_WORK\My_Work\Exploit\Spyware_spy\RAT\RFT_Socket_V3.2\Release\rft.pdb

3.3.1. AUTOIT AMADEY

As covered above, Amadey is one of the malware that has been constantly used by the Kimsuky group. The version of Amadey used by the Kimsuky group is different from the type used by other threat actors: Kimsuky group’s Amadey uses Domain Generation Algorithms (DGA), and when it scans for antivirus software installed in the infected system, it also searches for product names from South Korean companies.

The recently identified Amadey is ported into the AutoIt language and has the same format as the types identified in the past attack cases. The threat actor installed both a legitimate AutoIt executable file and a compiled AutoIt script in the infected system. The compiled AutoIt script is 100 MB in size for the purpose of hindering analysis and contains dummy data as shown below.

Although written in a different language, the decrypted AutoIt script can be considered to be the Amadey malware. The HTTP request structure for sending the system information collected from the infected system to the C&C server is identical to that of the typical Amadey.

Besides this, it also has a routine for checking for products from South Korean companies when retrieving the list of antivirus products installed in the infected system. Furthermore, it supports the feature to download additional payloads in not only an exe format, but also dll, PowerShell, vbs, and js formats.

As mentioned above, the Amadey used by the Kimsuky group supports DGA. DGA, also known as Domain Generation Algorithm, dynamically generates a domain (C&C server address) instead of a fixed form. After dynamically obtaining the C&C server address based on the date, the Kimsuky group used this as a subsidiary C&C server. When the connection to the C&C server was down, the subsidiary C&C server generated through DGA was used for communication.

3.3.2. RFTRAT

The AutoIt scripts used in the attacks include Amadey and RftRAT. The AutoIt executable file and the malicious AutoIt script are also created through a dropper. The following ASD log shows the execution log of “d015700.dll”, which is the dropper that installs RftRAT, and the log showing RftRAT ultimately creating an Infostealer after being injected into svchost.exe. Additionally, AppleSeed, another malware used by the Kimsuky group, was additionally installed in the same system afterward.

The RftRAT used in previous attacks is in DLL format and packed in VMP, so an exact comparison is difficult. However, it was categorized into the past version of RftRAT due to the fact that the same library file is used, that ICMLuaUtil is used to bypass UAC, and that the path names used for saving C&C communication and command results are almost the same.

The compiled AutoIt script is similar to the Amadey in the case above, but it is actually an injector that executes svchost.exe and injects RftRAT into it. The ultimate payload RftRAT cannot be executed independently. Data must be read in from a mapped file named “A1CCA2EC-C09F-D33C-4317-7F71F0E2A976_0”. The injector AutoIt script writes the paths of the AutoIt executable file and script into this file.

The transmitted paths of the AutoIt executable file and script are used later on in the UAC bypassing stage. RftRAT uses the ICMLuaUtil interface of the CMSTPLUACOM component to bypass UAC and execute itself as administrator. After being run as administrator, RftRAT collects basic information about the infected system and sends it to the C&C server.

Afterward, it receives commands from the C&C server. RftRAT writes the received commands to the path “%APPDATA%\asc\t1.pb” before decrypting them. Decryption yields the actual commands, which are written to the same file and reread to be executed. The command, the execution results, and the additionally downloaded file are created in the paths below.

4. Post-infection

After taking control of the infected system, to exfiltrate information, the Kimsuky group installs various malware such as keyloggers and tools for extracting accounts and cookies from web browsers. The group also installs Mimikatz and RDP Wrapper, which have both been steadily used for many years.

4.1. Keylogger

The keylogger is usually installed in the path “%ALLUSERSPROFILE%\startup\NsiService.exe”. It persists in the system and monitors key input from the user, which is saved in the path “%ALLUSERSPROFILE%\semantec\av\C_1025.nls” or “%ALLUSERSPROFILE%\Ahn\av\C_1025.nls”. Additionally, “%ALLUSERSPROFILE%\semantec” is a folder where the keylogger is installed, along with various malware covered in this article.

4.2. Infostealer

Malware for collecting information from web browsers were created in the “%ALLUSERSPROFILE%\semantec\” path under the names “GBIA.exe”, “GBIC.exe”, “GBS.exe”, and “GPIA.dll”. While most target account credentials and cookies saved in web browsers, there are types that collect files in the “Local Extension Settings” path, which is the configuration data related to Chrome extensions.

Besides these, the tool named “GPIA.exe” looks up all paths in the infected system and displays the files in each folder. Because the file containing the paths of all files is naturally large, it also allows this file to be split-compressed.

4.3. Other Types

A notable fact about the Kimsuky group is that it often abuses RDP for information theft. Accordingly, it either installs RDP Wrapper or uses a patcher malware for multiple sessions. Recently, there was a discovery of a malware that monitors the login records of the user. This seems to be for the purpose of finding out when the user logs in to use RDP to connect during idle times.

The file “taskhosts.exe” installed in the path “%ALLUSERSPROFILE%\semantec\” is an injector that injects “ipcheck.dll” into the “explorer.exe” and “runtimebroker.exe” processes. “ipcheck.dll” monitors the user’s log-on/log-off activities by hooking the “WinStationQueryInformationW()” and “ExitWindowsEx()” functions and the log is saved in the path “%PUBLIC%\Log64.txt”.

The threat actor also used proxy malware. Proxy tools in the past were run by receiving command line arguments, but the type used by Kimsuky reads and uses a configuration file named “setting.ini”. The port number 3389 configured in the default address indicates that it is likely to establish an RDP connection to a private network.

5. Conclusion

The Kimsuky threat group is continuously launching spear phishing attacks against South Korean users. Recently, malicious LNK files have been distributed to South Korean users with various topics, so users are advised to practice particular caution.

The group usually employs the method of distributing malware through attachments or download links in emails. When a user executes them, the threat actor may be able to take control of the system that is currently in use. The Kimsuky group has been newly creating and using various malware to control infected systems and steal information. Recently, the group has been using AutoIt to create malware to bypass security products.

Users must carefully check the senders of emails and refrain from opening files from unknown sources. It is also recommended to apply the latest patch for OS and programs such as Internet browsers and update V3 to the latest version to prevent such malware infection in advance.

File Detection
– Downloader/Win.Amadey.R626032 (2023.11.30.00)
– Backdoor/Win.Agent.R626033 (2023.11.30.00)
– Downloader/Win.Amadey.C5462118 (2023.07.28.03)
– Trojan/AU3.Loader (2023.11.22.01)
– Dropper/Win.Agent.C5542993 (2023.11.17.02)
– Trojan/Win.Agent.C5430096 (2023.05.20.00)
– Infostealer/Win.Agent.R622445 (2023.11.17.02)
– Downloader/Win.Amadey.C5479015 (2023.08.31.01)
– Trojan/Win.Agent.C5485099 (2023.09.11.03)
– Trojan/Win.Agent.C5479017 (2023.08.31.01)
– Trojan/Win.Loader.C5479014 (2023.08.31.01)
– Trojan/Win.Agent.C5465186 (2023.11.30.00)
– Infostealer/Win.Agent.C5542999 (2023.11.17.02)
– Infostealer/Win.Agent.C5542997 (2023.11.17.02)
– Trojan/Win.Agent.C5451959 (2023.11.30.00)
– Trojan/Win.Agent.Prevention.C5446554 (2023.11.30.00)
– Trojan/Win.Agent.R589022 (2023.06.28.02)
– Trojan/Win.Loader.R588248 (2023.11.30.00)
– Trojan/Win.Agent.C5444839 (2023.11.30.00)
– Trojan/Win.Stealer.C5441397 (2023.11.30.00)
– Trojan/Win.KeyLogger.C5430090 (2023.05.20.00)
– Malware/Win.Generic.C5430065 (2023.11.30.00)
– Trojan/Win.Stealer.R579484 (2023.05.20.00)
– Trojan/Win.Loader.C5430091 (2023.05.20.00)
– Trojan/Win.KeyLogger.C5430092 (2023.05.20.00)
– Trojan/Win.Loader.C5430099 (2023.05.20.00)
– Trojan/Win.Proxy.C5430093 (2023.05.20.00)
– Trojan/Win.Agent.C5430095 (2023.05.20.00)

Behavior Detection
– Persistence/MDP.AutoIt.M4766
– Injection/MDP.Hollowing.M4767

IOC
MD5
– f5ea621f482f9ac127e8f7b784733514 : RftRAT Dropper – AutoIt (d009086.dll)
– 7b6471f4430c2d6907ce4d349f59e69f : Amadey – AutoIt Script (adal.au3)
– 14a7f83d6215a4d4c426ad371e0810a2 : RftRAT – AutoIt Script (run.au3)
– 74d5dac64c0740d3ff5a9e3aca51ccdf : RftRAT – AutoIt Script (chkdisc.au3)
– a7c9b4d70e4fad86598de37d7bf1fe96 : RftRAT – AutoIt Script (run.au3)
– 32696d9e1e72affaf8bc707ab271200d : Loader (ht.dll)
– 4b667f7ea5bdc9d872774f733fdf4d6a : Loader (ht.dll)
– 7f582f0c5c9a14c736927d4dbb47c5fa : Loader (ht.dll)
– 94aef716b23e8fa96808f1096724f77f : Loader (ht.dll)
– 0786984ab46482637c2d483ffbaf66dc : Loader (ht.dll)
– 1f63ce3677253636a273a88c5b26418d : Loader (ht.dll)
– 6f7cd8c0d9bfb0f97083e4431e4944c1 : Amadey Dropper (10.dll)
– 4fc726ab835ce559bada42e695b3d341 : Amadey Dropper (11.dll)
– 0fc1c99fd0d6f5488ab77e296216c7c6 : Amadey Dropper (10.dll)
– f9c4d236b893c0d72321a9210359f530 : Amadey (svc4615.dll)
– e22336eaf1980d2be5feed61b2dbc839 : Amadey (svc7014.dll)
– 862a855557cc274ab86e226e45338cff : Amadey (mtms2883.dll)
– 0f5762be09db44b2f0ccf05822c8531a : Amadey (ad53.dat)
– c87094e261860e3a1f70b0681e1bc8c5 : Amadey (ad54.dat)
– bac7f5eefe6a67e9555e93b0d950db59 : Amadey (d021999.dll)
– c5a1305aba22c8fedd6624753849905b : Amadey (mtms02.dat)
– 068d395c60e32f01b5424e2a8591ba73 : Amadey (adal66.dat)
– f3caa0f922600b4423ebcb16d7ea2dc6 : RftRAT Dropper (_e2.dll)
– 355817015c8510564c6ac89c976f2416 : RftRAT Dropper (_d2.dll)
– d541aa6bae0f8c9bd7e7b6193b52e8f2 : RftRAT Dropper (d010943.dll)
– 093608a2d6eb098eb7ea917cc22e9998 : RftRAT Dropper (30.dll)
– f76cde928a6eda27793ade673bcd6620 : RftRAT (msc1439.dll)
– aaa42b1209ed54bfcbd2493fe073d59b : RftRAT (mtms1929.dll)
– 1003a440c710ddf7faa1a54919dd01d8 : RftRAT (rtm8668.dll)
– b67e6e4c16e0309cfc2511414915df15 : RftRAT (cmms1106.dll)
– 4d4d485d3bfd3cbc97ed4b9a671f740f : RftRAT (cmms2366.dll)
– cf3440fa165e3f78d2a2252a6924f702 : RftRAT (mtms7794.dll)
– c55da826e50e2615903607e61968778f : RftRAT
– d070cf19b66da341f64c01f8195afaed : RftRAT (r2.dat)
– e665a985f71567f24a293ea430aad67d : RftRAT (r2.dat)
– c52410ed6787c39db87c4158e73089d4 : RftRAT (r1.dat)
– 1ac0b0da11e413a21bec08713e1e7c59 : RftRAT (40.dat)
– 39e755c08156123e4cabac6bf8d1fd3a : RftRAT (a2.dat)
– 187aa9b12c05cd1ff030044786903e7e : KeyLogger (NsiService.exe)
– b1337eb53b21594ac5dbd76138054ffb : KeyLogger (NsiService.exe)
– d820ddb3026a5960b2c6f39780480d28 : KeyLogger (NsiService.exe)
– 5c2809177bb95edc68f9a08a96420bb7 : Stealer – Web browser (GBIA.exe)
– 0bf558adde774215bb221465a4edd2fe : Stealer – Web browser (GBIA.exe)
– aa2cf925bae24c5cad2b1e1ad745b881 : Stealer – Web browser (GPIA.dll)
– baa058003bf79ba82ac1b744ed8d58cb : Stealer – Chrome extension (GBS.exe)
– 38182f1f0a1cf598295cfbbabd9c5bf4 : Stealer – File path (GPIA.exe)
– 272c29bf65680b1ac8ec7f518780ba92 : Stealer – File path (GPIA.exe)
– e860dac57933f63be9a374fb78bca209 : Proxy (svc.exe)
– e96ca2aa7c6951802e4b17649cc5b581 : Injector (taskhosts.exe)
– 4eddf54757ae168450882176243d2bd2 : Injector (sihosts.exe)
– 119063c82373598d00d17734dd280016 : LogonMon (ipcheck.dll)

C&C
– hxxps://prohomepage[.]net/index.php :Amadey – AutoIt Script
– 45.76.93[.]204:56001 : RftRAT – AutoIt Script
– 91.202.5[.]80:52030 : RftRAT – AutoIt Script
– 192.236.154[.]125:50108 : RftRAT – AutoIt Script
– hxxp://brhosting[.]net/index.php : Amadey
– hxxps://topspace[.]org/index.php : Amadey
– hxxps://theservicellc[.]com/index.php : Amadey
– hxxps://splitbusiness[.]com/index.php : Amadey
– hxxps://techgolfs[.]com/index.php : Amadey
– 23.236.181[.]108:52390 : RftRAT
– 152.89.247[.]57:52390 : RftRAT
– 172.93.201[.]248:8083 : RftRAT
– 172.93.201[.]248:52390 : RftRAT
– 209.127.37[.]40:52390 : RftRAT

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.