Malware

Analysis Report on the Latest Attack Cases by Kimsuky Group Exploiting PebbleDash and RDP Wrapper

  • Oct 24 2024
Analysis Report on the Latest Attack Cases by Kimsuky Group Exploiting PebbleDash and RDP Wrapper

Analysis Overview

AhnLab SEcurity intelligence Center (ASEC) recently identified that the Kimsuky group is using the backdoor PebbleDash and RDP Wrapper in multiple attacks. The threat actor uses LNK during initial access to install PowerShell malware on the infected system. Once this process is complete, they install custom-made remote control malware and use various tools equipped with information-collecting capabilities to control the infected system and steal information. Among the various attack activities of the Kimsuky group, cases of this type of attack have been continuously increasing since around 2024.

 

The targets of the attack appear to be diverse, similar to the usual range of Kimsuky group’s activities, and include individuals, organizations, and companies. Given the Kimsuky group’s characteristic focus on collecting sensitive information, their targets also include the public, legal, and academic sectors. Additionally, they also target regular companies under the guise of work and recruitment-related documents. It is also noticeable that numerous malware related to cryptocurrency have been identified recently.

 

The threat actor uses spear phishing attacks to trick users into executing LNK malware disguised as document files, which then installs a PowerShell script to execute additional payloads. The PowerShell malware is continuously executed by VBS malware registered in the Task Scheduler, downloading and executing additional payloads specified by the threat actor.

 

The Kimsuky group installs additional malware on infected systems, and as of recent reports, RDP Wrapper has been identified in most attack cases. The threat actor activates RDP, registers a backdoor account, and then uses RDP Wrapper to remotely control the infected system. In this process, a custom-made proxy malware is also used. In past spear phishing attacks using LNK, malware like Amadey or RftRAT was used in the final stage. However, recent attack cases are characterized by the use of RDP for remote screen control rather than controlling the infected system with a custom-made backdoor.[1]

 

However, backdoors have not been completely abandoned; although not as frequently as RDP Wrapper, cases with PebbleDash have been identified since the first half of 2024. PebbleDash was previously used by the group known as Lazarus, and there are instances where it was used in spear phishing attacks alongside AppleSeed. [2] In the past, most attack cases involved the use of AppleSeed, AlphaSeed, and HappyDoor, with PebbleDash being identified in only a few instances. However, since 2024, a large number of cases with PebbleDash have been identified, and threat actors have used it to remotely control infected systems.

 

[1] Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)

[2] Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)

MD5

06c04a8ba382a27b7676f3591246dcbb
07866f30a8b4a3453fd0ff0e82143a83
0808710ecfdb1fb2274209853a256b82
0993cf18121be84f5b1511318df80f44
0aea7e23c016a2bb0b48c1779044b285
URL

http[:]//103[.]5[.]144[.]50[:]8000/rev[.]exe
http[:]//27[.]102[.]115[.]154[:]8000/revsocks[.]exe
https[:]//drive[.]google[.]com/uc?export=download&id=1B0Iw3GYJvI-jwpEwY7wJ-8UWBhSTwgD5
IP

103[.]5[.]144[.]26
159[.]100[.]13[.]216
206[.]206[.]127[.]152
216[.]107[.]137[.]73
64[.]49[.]14[.]181

Tags:
Previous Post

Next Post