Listen to this Post
2025-02-06
Kimsuky, a North Korea-linked state-sponsored hacking group, continues to evolve its cyberattack strategies with the deployment of a new information-stealer malware named forceCopy. According to a recent report from the AhnLab Security Intelligence Center (ASEC), the group has been using spear-phishing emails to distribute the malware, highlighting a continued sophistication in its tactics. The following breakdown offers an in-depth look at how Kimsuky’s latest campaign works and the key findings surrounding its methods.
Attack Campaign:
Kimsuky has been observed conducting spear-phishing attacks targeting users with emails containing Windows shortcut (LNK) files, disguised as Microsoft Office or PDF documents. Opening these attachments initiates the execution of PowerShell or mshta.exe, which in turn downloads further malicious payloads. The key malware in these attacks includes the trojan PEBBLEDASH and a custom version of RDP Wrapper, an open-source Remote Desktop utility.
Additionally, a proxy malware is installed to establish ongoing communications with external networks via RDP, while a PowerShell-based keylogger records keystrokes. The new forceCopy malware, designed to steal information, targets web browser-related directories, specifically aiming to steal stored credentials and configuration files. The tactics employed in these attacks signal a strategic shift for Kimsuky, as they move away from custom backdoors in favor of widely available tools like RDP Wrapper and proxy malware to gain persistent access to compromised systems.
This new attack follows a pattern of advanced social engineering, a hallmark of Kimsuky’s operations since its emergence in 2012. In late 2024, the group was also noted for leveraging Russian email services to bypass email security measures for credential theft. Kimsuky is assessed to be linked with North Korea’s Reconnaissance General Bureau (RGB), its primary foreign intelligence service.
What Undercode Say:
Kimsuky’s continued innovation in cyberattack tactics reflects an ongoing evolution of its capabilities, demonstrating a clear move towards leveraging commonly available tools and techniques to maintain stealth and persistence. In the past, Kimsuky relied heavily on custom-built backdoors to secure long-term access to targeted systems. However, the integration of more generalized tools such as RDP Wrapper and proxy malware marks a noticeable shift in strategy.
By using widely available software and evading detection through sophisticated social engineering, Kimsuky has adapted to the cybersecurity community’s growing awareness of its previous methods. This strategic pivot ensures that the hacking group can continue to operate with relative impunity, even in the face of increasing scrutiny and detection efforts. Tools like RDP Wrapper, which allows attackers to bypass Windows security settings for remote desktop access, are not only effective but also allow attackers to blend into environments where they may go unnoticed for extended periods.
Moreover, the deployment of forceCopy, a file-stealer that specifically targets web browser-related directories, speaks to the evolving nature of the group’s objectives. It’s clear that Kimsuky is focusing on credential theft with increased precision, capitalizing on the ubiquity of web browsers and their ability to store sensitive information. By bypassing security measures in place to protect against traditional types of malware, Kimsuky’s campaigns are evolving in ways that make them harder to detect and disrupt.
The use of PowerShell-based keyloggers is another notable tactic, indicating a preference for low-level, script-based attacks that don’t necessarily require external malware downloads to perform critical functions like data exfiltration. Keyloggers, especially those implemented in PowerShell, allow attackers to maintain operational flexibility, record sensitive information such as passwords or login credentials, and do so in a manner that makes detection more difficult.
Kimsuky’s efforts also underline an alarming trend: The integration of different malware strains and tools into a single, multi-pronged attack allows the threat actor to gain deeper access, perform extensive data collection, and ensure long-term control over compromised systems. The combination of RDP Wrappers, keyloggers, and file stealers represents a growing sophistication in their methodology that is intended not just to extract data but to maintain a persistent, undetected presence in targeted networks.
Given the
As cybersecurity professionals and organizations alike continue to refine their defenses, the ongoing threat from Kimsuky underscores the need for a multi-layered approach to security. Vigilance against phishing attempts, regular patching of systems, and the use of endpoint detection tools that monitor for abnormal behavior are key to mitigating these increasingly complex attacks.
References:
Reported By: https://thehackernews.com/2025/02/north-korean-apt-kimsuky-uses-lnk-files.html
https://www.stackexchange.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help




