Listen to this Post
2025-02-06
Kimsuky, a notorious North Korean hacking group, has recently shifted tactics, employing custom-built Remote Desktop Protocol (RDP) Wrappers and proxy tools to infiltrate networks stealthily. This shift marks a significant departure from their previous reliance on more conspicuous backdoors like PebbleDash. A new campaign discovered by AhnLab Security Intelligence Center (ASEC) sheds light on this evolution, demonstrating how Kimsuky is diversifying its attack methods to maintain its foothold in compromised systems for longer periods.
Kimsuky’s Latest Attack Campaign
Kimsuky’s latest attack chain starts with a spear-phishing email, containing a malicious shortcut (.LNK) file that masquerades as a PDF or Word document. The emails are carefully crafted, using the recipient’s name and company details to enhance their believability. Once opened, the .LNK file triggers PowerShell or Mshta to fetch additional payloads from an external server. These payloads include:
– PebbleDash, a known backdoor providing initial control of the system.
– A customized RDP Wrapper tool, which offers persistent RDP access and bypasses security mechanisms.
– Proxy tools that help attackers circumvent network restrictions, ensuring continued access to the system, even when direct RDP connections are blocked.
The custom RDP Wrapper, based on an open-source tool, is modified to evade antivirus detection and provides a more seamless and discreet method of remote access. Once inside, Kimsuky deploys additional payloads like keyloggers, credential stealers, and in-memory execution tools to further solidify their control over the compromised system.
What Undercode Says:
The tactics and tools used by Kimsuky in their latest campaign show a clear progression in their cyber-espionage capabilities. Moving away from traditional, noisy malware like PebbleDash, Kimsuky now leans heavily on a combination of stealthier methods, including custom RDP Wrappers and proxy tools, to maintain access to compromised networks. This change suggests that Kimsuky is adapting to defensive measures and aiming for more sophisticated, prolonged infiltrations.
RDP Wrappers, in particular, are a key component of this new strategy. By modifying a legitimate, open-source tool that enables RDP connections on Windows versions without native support for it, Kimsuky avoids detection by traditional antivirus programs. RDP is often viewed as a legitimate form of remote access, so using it as a means of attack helps Kimsuky evade suspicion. This approach makes it harder for security teams to differentiate between malicious activity and standard administrative functions.
Moreover, the proxy tools employed by Kimsuky demonstrate an acute understanding of network restrictions and firewalls. By bypassing private network restrictions, Kimsuky ensures that it can maintain access even when RDP connections are actively blocked, adding another layer of persistence to their attacks.
These methods also highlight a shift towards more targeted attacks. The spear-phishing emails are highly personalized, leveraging detailed information about the target’s organization and individual employees. This level of preparation suggests that Kimsuky is conducting detailed reconnaissance before each attack, making their efforts more difficult to detect and stop.
The payloads dropped by Kimsuky further reveal the
Kimsuky’s evolving tactics suggest that they are not just targeting specific organizations but are building a persistent infrastructure for long-term intelligence gathering. This shift to stealthier, more adaptable methods reflects the growing sophistication of the group, which is among North Korea’s most prolific and dangerous cyber-espionage units.
For organizations under threat from Kimsuky or similar groups, the key takeaway is the importance of adapting defensive measures. Monitoring network traffic for unusual RDP connections, employing advanced threat detection techniques like behavioral analysis, and continuously training employees to recognize spear-phishing attempts can help mitigate the risks posed by this evolving threat landscape. In addition, the use of next-generation firewalls and endpoint security solutions capable of detecting malicious proxy tools and in-memory attacks will be crucial for defending against these types of sophisticated intrusions.
References:
Reported By: https://www.bleepingcomputer.com/news/security/kimsuky-hackers-use-new-custom-rdp-wrapper-for-remote-access/
https://www.discord.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help




