June 7, 2023

South Korean researchers have discovered a reformed wave of activity of Kimsuky hacking group, which includes using basic open-source remote access tools and their own backdoor, Gold Dragon.

Kimsuky, also known as TA406, is a North Korean state-sponsored hacker organization engaging in cyber-espionage acrivities. The gang has shown outstanding operational versatility and threat activity diversity, distributing malware, phishing, collecting data, and even stealing cryptocurrency.


Kimsuky used xRAT, a free open-source remote access and administration tool, is available on GitHub in targeted cyberattacks on South Korean companies based on the report from Ahn Labs. It involve in activities such as Keylogging, remote shell, file management activities, reverse HTTPS proxy, AES-128 communication, and automated social engineering are all included in the malware.

Gold Dragon is a second-stage backdoor that Kimsuky commonly distributes following a steganography-based fileless PowerShell-based first-stage attack. This backdoor was documented earlier and not a new one. The variation seen in this most recent campaign has new characteristics, including fundamental system information exfiltration.

The malware no longer leverages system processes for this purpose but installs the xRAT program to manually steal the required data. The RAT is disguised as cp1093.exe. Gold Dragon continues to employ the same process hollowing strategy on iexplore.exe and svchost.exe, and it continues to try to block real-time detection mechanisms of AhnLab AV solutions.

Next, the installer creates a new registry entry to ensure the malware payload’s startup durability (glu32.dll). Finally, Kimsuky includes an uninstaller (UnInstall_kr5829.co.in.exe) that may be used to remove any evidence of intrusion. Users should avoid opening attachments in emails from unknown senders, according to AhnLab, because this is still the most common way for Kimsuky to spread.


Indicators of Compromise

  • 40b428899db353bb0ea244d95b5b82d9
  • 4ea6cee3ecd9bbd2faf3af73059736df)
  • 070f0390aad17883cc8fad2dc8bc81ba
  • b841d27fb7fee74142be38cee917eda5

Leave a Reply

%d bloggers like this: