FlagThis

The North Korean hacking group Kimsuky has been observed using a custom-built RDP Wrapper and proxy tools in recent cyber espionage campaigns. According to reports from the AhnLab Security Intelligence Center (ASEC), these tools enable the group to directly access infected machines and maintain persistent access, representing a shift in tactics from relying solely on noisy backdoors like PebbleDash. The group also utilizes the forceCopy stealer malware.

Kimsuky's attack strategy typically begins with spear-phishing emails containing malicious shortcut (.LNK) files disguised as legitimate documents. When opened, these files execute PowerShell or Mshta scripts to download malware, including the custom RDP Wrapper. This wrapper is designed to bypass security measures by modifying export functions, making it difficult for security tools to detect. The group also uses keyloggers to capture user keystrokes and proxy malware to bypass network restrictions, facilitating remote access to compromised systems even within private networks.

ImgSrc: www.bleepstatic.com

References:

• ciso2ciso.com - Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer – Source: securityaffairs.com - 13d
• Security Affairs - Kimsuky APT group used custom RDP Wrapper version and forceCopy stealer. - 13d
• securityonline.info - Kimsuky Group Leverages RDP Wrapper for Persistent Cyber Espionage. - 13d
• www.bleepingcomputer.com - Kimsuky hackers use new custom RDP wrapper for remote access. - 13d
• www.microsoft.com - Microsoft details Kimsuky's new PowerShell-based attack tactic. - 9d
• SCM feed for Threat Management - PowerShell exploited in new Kimsuky intrusions - 6d

Classification:

• HashTags: Kimsuky APT RDP
• Company:
• Attacker: Kimsuky
• Product: RDP
• Feature: RDP
• Type: Hack
• Severity: Medium