FlagThis

The North Korean hacking group Kimsuky has been observed in recent attacks employing a custom-built RDP Wrapper and proxy tools to directly access infected machines. A new report by AhnLab's ASEC team details additional malware used by Kimsuky in these attacks, highlighting the group's intensified use of modified tools for unauthorized system access. This cyber espionage campaign begins with spear-phishing tactics, distributing malicious shortcut files disguised as legitimate documents to initiate the infection chain.

These files, often disguised as PDFs or Office documents, execute commands via PowerShell or Mshta to download malware such as PebbleDash and the custom RDP Wrapper, enabling remote control of compromised systems. Kimsuky's custom RDP Wrapper, a modified version of an open-source utility, includes export functions designed to evade detection by security software, facilitating stealthy remote access. In environments where direct RDP access is restricted, Kimsuky deploys proxy malware to bypass network barriers, maintaining persistent access and employing keyloggers and information-stealing malware to exfiltrate sensitive data.

ImgSrc: www.bleepstatic

References :

• asec.ahnlab.com: Having previously analyzed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type
• cyberpress.org: North Korean Hackers Deploy Custom RDP Wrapper to Hijack Remote Desktop
• www.bleepingcomputer.com: Kimsuky hackers use new custom RDP wrapper for remote access
• BleepingComputer: The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
• securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
• Cyber Security News: The North Korean cyber espionage group Kimsuky has intensified its use of custom-built tools, including a modified Remote Desktop Protocol (RDP) Wrapper, to gain unauthorized access to targeted systems.
• Virus Bulletin: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
• Anonymous ???????? :af:: hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
• securityonline.info: Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage
• securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
• ciso2ciso.com: North Korean APT Kimsuky Uses forceCopy Malware to Steal Browser-Stored Credentials – Source:thehackernews.com
• Thomas Roccia :verified:: Having previously analysed cases of attacks by the Kimsuky group that utilized the PebbleDash backdoor and a custom-made RDP Wrapper, a new blog post from AhnLab's ASEC team covers additional malware used by Kimsuky in attacks of the same type.
• Know Your Adversary: Kimsuky Abuses RDP Wrapper in a Recent Campaign
• ciso2ciso.com: Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com
• ciso2ciso.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.
• BleepingComputer: Additional information on the malware used in Kimsuky attacks, including PebbleDash backdoor and custom-made RDP Wrapper.
• securityaffairs.com: Researchers spotted North Korea’s Kimsuky APT group launching spear-phishing attacks to deliver forceCopy info-stealer malware.

Classification:

• HashTags: #Kimsuky #APT #RDPWrapper
• Company: AhnLab
• Target: Organizations
• Attacker: Kimsuky
• Product: RDP
• Feature: RDP Wrapper
• Malware: PebbleDash
• Type: Espionage
• Severity: Major