Group Background
Kimsuky, also known as Mystery Baby, Baby Coin, Smoke Screen, Black Banshe, etc., internally tracked as APT-Q-2 by QiAnXin. This APT organization was publicly disclosed in 2013, with its earliest attack activities dating back to 2012, suspected to have originated from Northeast Asia. Kimsuky primarily targets South Korea, involving sectors such as defense, education, energy, government, healthcare, and think tanks, focusing on stealing confidential information. The group typically employs social engineering, spear-phishing emails, watering hole attacks, and other methods to deliver malicious software, with a variety of attack techniques and weapons targeting both Windows and Android platforms.
Incident Overview
Recently, the QiAnXin Threat Intelligence Center discovered a batch of espionage attack samples disguised as installation programs of software products under the SGA, a South Korean software company. These samples, upon execution, release legitimate installation packages to deceive victims and secretly execute malicious DLLs processed by VMProtect. The malicious DLLs, implemented in Go language, collect various types of information from infected devices and transmit them to the attackers, then erase traces of the attack.
Based on the digital signatures carried by the espionage software samples, we associated them with another type of malicious software used as a backdoor, also written in Go and protected by VMProtect. This backdoor software shares multiple characteristics with historical attack samples from the Kimsuky organization, leading us to believe that both types of malicious software are associated with the Kimsuky group.
Detailed Analysis
Espionage Software
The basic information of the attack samples disguised as software installation packages is as follows:
| - | - | - |
|---|---|---|
| MD5 | File Type | Digital Signature Time |
| 27ef6917fe32685fdf9b755eb8e97565 | EXE | 2023-12-13 08:25:21 UTC |
| 7457dc037c4a5f3713d9243a0dfb1a2c | DLL | 2023-12-13 08:10:34 UTC |
| 7b6d02a459fdaa4caa1a5bf741c4bd42 | EXE | 2024-01-05 08:04:01 UTC |
| 88f183304b99c897aacfa321d58e1840 | DLL | 2023-12-18 01:57:13 UTC |
| 19c2decfa7271fa30e48d4750c1d18c1 | EXE | 2024-01-08 13:58:33 UTC |
| c8e7b0d3b6afa22e801cacaf16b37355 | DLL | 2023-12-18 01:57:34 UTC |
The signer of the program file's digital signature is "D2innovation Co.,LTD".
The above attack samples can be divided into 3 groups: EXE as the initial sample, acting as a dropper, and DLL as the released espionage software. After deduplication of the normal installation programs corresponding to the 3 groups of samples, there are two as follows:
| - | - |
|---|---|
| MD5 | Installation Program Name |
| eb8d073840e95cf24c9c3f5a2b6470e0 | NXTPKIENT.exe (TrustPKI Enterprise Non-ActiveX Client Setup) |
| d259ef7500e7e667afc42e9570f9707a | NX_PRNMAN.exe (SGASolutions NX_PRNMAN Setup) |
Taking the sample 27ef6917fe32685fdf9b755eb8e97565 as an example, the execution process is as follows:
Dropper
The initial EXE sample first releases the normal installation program NXTPKIENTS.exe in the same directory, and then releases a bat script in the "%Temp%" directory. The bat script's file name format is "%Temp%[4-byte random string].tmp.bat", which is responsible for deleting the initial EXE sample and itself.
Next, malicious DLLs are released in the "%AppData%\Media" directory, with the file name format "%AppData%\Media\win-[random string].db".
The bat script and installation program NXTPKIENTS.exe are launched. Since the initial EXE sample is still running at this time, the bat script enters a loop.
A flag file "C:\programdata\hai.a" used for DLL execution is released, and rundll32.exe is called to start the export function named "hai" in the malicious DLL. The initial EXE sample completes its main work at this point.
Espionage DLL
The malicious DLL is implemented in Go language. According to the Go metadata information in the sample, the codename for this espionage software appears to be TrollAgent.
The malicious DLL first calls the schtasks.exe command to delete the scheduled task named "ChromeUpdateTaskMachineUAC". It then checks if the flag file "C:\programdata\hai.a" exists. If it does not exist, it indicates that the DLL was not started by the initial EXE sample, and it proceeds directly to the self-deletion process: deleting the scheduled task "ChromeUpdateTaskMachineUAC" again, releasing and executing a powershell script for self-deletion.
If the flag file hai.a exists, it is deleted, and then the main functionality of the espionage software is executed.
During the configuration initialization process, the espionage software sets the version to "gt@2.0", retrieves the MAC address of the infected device's network interface, and generates a UID to mark the victim. It also sets up a URL list for C&C communication.
| - |
|---|
| http://ar.kostin.p-e.kr/index.php |
| http://ai.kostin.p-e.kr/index.php |
During C&C communication, the espionage software first establishes a connection with the server by calling the SendPing function, sends an "init" message to the server, and checks if the response message is "ok".
The structure used to organize the communication data between the espionage software and the C&C server is named NpwwMsg. After converting it to a byte sequence, the espionage software encrypts it using XorCBC with a key of [0xDD, 0x33, 0x99, 0xCC], and then encodes the encrypted data in Base64.
The content of the request sent to the C&C by the SendPing function is as follows.
Upon receiving the "ok" response from the C&C server via the SendPing function, the espionage software begins collecting various types of information from the infected devices, saves it to files, encrypts it, and sends it back to the C&C server. The collected information includes the following categories.
(1) Configuration Data of the Espionage Software
After converting the configuration data into a JSON string, it is saved in temporary files with a ".org" suffix, encrypted, sent back to the C&C, and then the temporary files are deleted.
(2) Data from Specified Directories
The software sequentially checks if four specific directories exist. If found, the data from these directories is packed into a zip archive, encrypted, and sent back. The directories being searched are as follows:
| - | - |
|---|---|
| Directory | Explanation |
| "%USERPROFILE%\.ssh\" | SSH data |
| "%USERPROFILE%\appdata\roaming\filezilla\" | FileZilla data |
| "%USERPROFILE%\appdata\local\packages\microsoft.microsoftstickynotes_8wekyb3d8bbwe\localstate\" | Microsoft Sticky Notes data |
| Unknown directory or file in C drive | - |
The search method for the unknown directory or file is as follows: traverse the C drive, convert the names of subdirectories or files to lowercase, prepend the string "aaxxyyzz", append "zzyyxxaa" to the end, calculate the SHA-512 hash value of the resulting string, and compare it with the hardcoded value below. If they match, it indicates that the specified directory or file has been found.
17ccb0832c3382b5f9e86236e035d899a351c98f3871080c138d4494218cbbc2b6f9dc43705ed97e8b0b09f25752302094e0d297151f67b22328af95610f72f1
(3) Browser Data
This functionality appears to use a modified version of the Github open-source project HackBrowserData. The configuration information for browser data directories on the Windows platform is as follows.
The configured browser data directories in the espionage software are as follows, with an additional browser, Naver Whale, developed by the Korean company Naver.
(4) Information Collected by Cmd Commands
The espionage software also executes the following cmd commands to collect information.
| - | - |
|---|---|
| Command | Collected by Cmd Commands |
| systeminfo | systeminfo Windows system hardware and software |
| net user | net user System users |
| query user | query user System user sessions |
| powershell Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntivirusProduct | Installed antivirus software |
| wmic qfe | Installed Windows system and software updates |
| wmic startup get | Startup items |
| wmic logicaldisk get | Disk information |
| ipconfig /all | Network configuration |
| arp -a | ARP cache |
| route print | Route table |
| tasklist | Process list |
| wmic process get Caption, Commandline | Process command lines |
| dir "%programfiles%" | %programfiles% directory |
| dir "%programfiles% (x86)" | %programfiles% (x86) directory |
| dir "%programdata%\Microsoft\Windows\Start Menu\Programs" | System Start Menu Programs directory (contains information about installed software) |
| dir "%appdata%\Microsoft\Windows\Recent" | Recently accessed files or folders by the current user |
| dir /s "%userprofile%\desktop" | Current user's desktop |
| dir /s "%userprofile%\downloads" | Current user's downloads directory |
| dir /s "%userprofile%\documents" | Current user's documents directory |
(5) Screenshots
Take screenshots using the kbinani/screenshot library.
The encrypted files containing the information from the above 5 categories are saved in the LocalPath directory of the espionage software's configuration data. After transmitting to the C&C, they are immediately deleted. The encrypted file names and the corresponding information they contain are as follows:
| - | - |
|---|---|
| Encrypted File Name | Information Saved |
| gcfg@[timestamp].gte1 | Espionage software configuration data |
| tcd@[timestamp].gte1 | Data from an unknown directory or file in the C drive |
| tfd@[ timestamp].gte1 | FileZilla directory data |
| tsd@[ timestamp].gte1 | SSH directory data |
| tnd@[ timestamp].gte1 | Sticky Notes directory data |
| tbd@[ timestamp].gte1 | Browser data |
| ccmd@[ timestamp].gte1 | Information collected by cmd commands |
| ssht@[ timestamp].gte1 | Screenshot data |
Once the information is collected, the espionage software does not remain resident but enters a self-deletion process to erase traces of the attack.
This single-run approach increases the stealthiness of the attack operation. The rich data collected from the infected devices by the espionage software helps attackers select high-value targets for further action.
Backdoor
Basic information about the backdoor program with the same digital signature as the espionage software is as follows, with the Go code project named "mirror":
| - | - |
|---|---|
| MD5 | 87429e9223d45e0359cd1c41c0301836 |
| File Name | svchost.exe |
| File Size | 7.67 MB (8043416 bytes) |
| Digital Signature Time | 2024-01-05 06:12:29 UTC |
After running, the backdoor first checks the operating environment. If the check fails, it immediately deletes the corresponding disk files and exits the program. The checks include: The checks include: (1) Getting the value of "LastUpdateName" under the registry "HKEY_CURRENT_USER\SOFTWARE\Microsoft"; (2) Whether the number of command-line parameters at startup is equal to 2. These two points indicate that the backdoor is started by other malware.
The backdoor ensures singleton operation by checking for the existence of a lock file "update.lock" under the current user's HOME directory. The second parameter of the command line supports two options: "UpdateAll" and "UpdateNormal".
Parameter "UpdateAll"
The "UpdateAll" parameter is responsible for establishing persistence. First, it sets the value of "LastUpdateTime" under the registry "HKEY_CURRENT_USER\SOFTWARE\Microsoft" as the time to establish a connection with the C&C.
Then it copies the backdoor file to the "svchost.exe" file under the current user's HOME directory. It creates a scheduled task named "WindowsUpdate" to run the copied svchost.exe file with the parameter "UpdateNormal". Finally, it deletes the disk file of the current program and exits the operation.
Parameter "UpdateNormal"
The "UpdateNormal" parameter is responsible for communication with the C&C server. First, it generates a UID to identify the victim based on the infected device's computer name and username. It retrieves the value of "LastUpdateTime" under the registry "HKEY_CURRENT_USER\SOFTWARE\Microsoft" to determine if it is time to establish a connection with the C&C. If not yet time, it sleeps for 20 seconds and checks again, otherwise, it calls the LoopSession function to enter the process of interacting with the C&C server.
C&C Communication
The domain name coolsystem[.]co.kr used by the C&C server is likely sourced from compromised websites.
The backdoor retrieves commands and transmits results by sending POST requests to the URL "hxxp://coolsystem.co.kr/admin/mail/index.php".
The format of the request data for retrieving commands is as follows: the value of parameter 1 is "2", and the value of parameter 2 has the character "1" appended after the UID.
a[9-byte random string]=2&b[9-byte random string]=[UID]1&c[9-byte random string]=
The format of the request data for transmitting results is as follows: the value of parameter 1 is "1", and the value of parameter 2 has the character "2" appended after the UID.
x[9-byte random string]=1&y[9-byte random string]=[UID]2&z[9-byte random string]=[encrypted data]
After retrieving commands, the backdoor distributes instructions based on the first two bytes of the response data, with the subsequent data used as command parameters.
The commands supported by the backdoor are as follows:
| - | - | - |
|---|---|---|
| C&C Command | Function Name | Function |
| "01" (0x3130) | Process_Sleep | Sleep for a specified time, set the registry LastUpdateTime value, and end the current C&C communication session. |
| "02" (0x3230) | Process_Cmd | Execute shell commands. |
| "03" (0x3330) | Process_Pwd | Get the current working directory. |
| "04" (0x3430) | Process_Cd | Change the working directory. |
| "05" (0x3530) | Process_Conn | Establish a TCP connection to a specified server. |
| "06" (0x3630) | Process_Exit | Exit the program. |
| "07" (0x3730) | Process_Where | Get the file path of the program. |
| "08" (0x3830) | Process_Dirsize | Get statistics for the specified directory (number of subdirectories and files, total size of files in the directory). |
| "09" (0x3930) | Process_GetInfo | Get device information, including hostname, username, CPU information, memory information, and network card information. |
| "10" (0x3031) | Process_CmdPath | Set the file path for executing shell commands (default is cmd.exe). |
| "11" (0x3131) | Process_Codepage | Set the code page, default is euc-kr (Korean). |
| "12" (0x3231) | Process_Hibernate | Set the specific date and time for the next connection (parsed in the Korean time zone Asia/Seoul), set the registry LastUpdateTime value, and end the current C&C communication session. |
| "13" (0x3331) | Process_Die | Delete the corresponding scheduled task for persistence, delete the program file, and exit the program. |
| "14" (0x3431) | Process_SocksAdd | Add Socks5 proxy. |
| "15" (0x3531) | Process_SocksList | List Socks5 proxy. |
| "30" (0x3033) | Process_Upload | Upload files to the infected device. |
| "31" (0x3133) | Process_Download | Download files from the infected device. |
Attribution
Both the data-stealing malware and the backdoor share similarities besides having the same digital signature, protection shell, and programming language. Firstly, the method of generating the UID to identify victims involves calculating the hash value of certain system information on the infected device and then truncating a portion of it. Secondly, both contain a built-in self-deletion feature.
On the other hand, the backdoor exhibits several overlapping characteristics with the attack samples used in the Kimsuky campaign disclosed several months ago [1](MD5: d6abeeb469e2417bbcd3c122c06ba099).
(1) Similarities in generating victim UID
The UID generated by the backdoor prepends the string "g-" to the hash value, while the UID generated by the previous attack samples appends the string "0-2.3" after the system disk serial number.
(2) Partial overlap in remote control commands
Both include attack instructions such as getinfo, where, die, pwd, cd, and sleep.
(3) Similar C&C communication formats
Both leverage POST requests to retrieve commands and transmit results, and the parameter names in the request data are random strings, with similar methods of constructing parameter values.
The data format for retrieving attack instructions from previous attack samples is as follows, where the value of parameter 1 is "2" and the value of parameter 2 has the character "1" appended after the UID.
[10-byte random string]=2&[10-byte random string]=[UID]1&[10-byte random string]=
The data format for transmitting results from attack samples is as follows, where the value of parameter 1 is "1" and the value of parameter 2 has the character "2" appended after the UID.
[10-byte random string]=2&[10-byte random string]=[UID]1&[10-byte random string]=
In summary, we believe that the discovered data-stealing malware and backdoor are related to recent Kimsuky attack activities.
Conclusion
Encrypting malicious software not only helps evade static characteristic detection but also hinders the process of analyzing the specific functionalities of malicious software. The malicious software used by Kimsuky in this attack campaign maintains its consistent style, determining whether it is launched by the initially delivered attack sample by detecting specific settings in the runtime environment and using self-deletion code to clean up attack traces. Data-stealing malware disguised as software installation packages is only responsible for information collection, indicating that attackers are likely to plan subsequent, more covert and sophisticated attack actions based on this foundation.
Protective Recommendations
Qianxin Threat Intelligence Center reminds users to beware of phishing attacks, refrain from opening links of unknown origin shared on social media, avoid clicking on email attachments from unknown sources, refrain from running unknown files with exaggerated titles, and avoid installing apps from unofficial sources. It is important to regularly back up important files and update software patches.
If there is a need to run applications of unknown origin, users can first use the Qianxin Threat Intelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) for judgment. Currently, the platform supports deep analysis of various file formats, including those for Windows and Android platforms.
Currently, all products based on threat intelligence data from the Qianxin Threat Intelligence Center, including Qianxin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, Qianxin NGSOC, and Qianxin Threat Perception, support accurate detection of such attacks.
七、IOC
MD5
27ef6917fe32685fdf9b755eb8e97565
7457dc037c4a5f3713d9243a0dfb1a2c
7b6d02a459fdaa4caa1a5bf741c4bd42
88f183304b99c897aacfa321d58e1840
19c2decfa7271fa30e48d4750c1d18c1
c8e7b0d3b6afa22e801cacaf16b37355
87429e9223d45e0359cd1c41c0301836
C&C
ar.kostin.p-e.kr
ai.kostin.p-e.kr
qi.limsjo.p-e.kr
ai.limsjo.p-e.kr
ol.negapa.p-e.kr
ai.negapa.p-e.kr
URL
hxxp://ar.kostin.p-e.kr/index.php
hxxp://ai.kostin.p-e.kr/index.php
hxxp://qi.limsjo.p-e.kr/index.php
hxxp://ai.limsjo.p-e.kr/index.php
hxxp://ol.negapa.p-e.kr/index.php
hxxp://ai.negapa.p-e.kr/index.php
hxxp://coolsystem.co.kr/admin/mail/index.php
Reference Links
[1]. https://asec.ahnlab.com/en/59387/