Background on gangs
Kimsuky, alias Mystery Baby, Baby Coin, Smoke Screen, Black Banshe, etc., is tracked internally by Qi'anxin as APT-Q-2.The APT group was publicly disclosed in 2013, with attack activity dating as far back as 2012.Kimsuky's main target for attacks has been South Korea, involving defense, education, energy, government, healthcare, and think tanks, with a focus on classified information theft. The group typically delivers malware using social engineering, spearmail, and puddle attacks, and has a wide range of attack tactics, with weapons for both Windows and Android platforms.
Summary of events
A batch of malware similar to Kimsuky's historical samples was recently discovered by the Qi'anxin Threat Intelligence Center. One of the samples releases software signed by Korean software vendor BlueMoonSoft to confuse victims.
The backdoor sample in the malware connects to a C2 server that uses a dynamic domain name, and the backdoor's main functions include gathering system and network configuration information about the infected device, downloading the subsequent payload, and executing it. The newer version of the backdoor detects if the device's hostname is in the built-in target list at runtime, and ends the run if it is not, and the filtered list of hostnames includes the string "DANAM", which is suspected to point to South Korean company Danam, which is involved in the electronics manufacturing, communications, and defense industries.
Detailed analysis
Relevant sample information is provided below:
| - | - | - | - | - |
|---|---|---|---|---|
| MD5 | (file name) | VT Upload Time | Creation time | clarification |
| 6efa53232350a76a52c7050b548ffe83 | (2-3 ssh.zip) | 2025-03-24 01:40:00 utc | - | The zip contains 3 different types of malware |
| a52e10dd48d64372d94f87d8eb7ed8bf | (sshdc.exe) | 2025-03-24 01:45:25 utc | 2024-03-27 02:48:53 utc | Malware in a zip archive that can execute arbitrary commands in the specified user session |
| 0f06fe847a43108a211233a9c7aa9780 | (sshd_conf.dat) | 2025-03-24 01:45:24 utc | 2025-03-19 04:41:51 utc | Malware in zip, DLL with keylogging, clipboard acquisition, screenshot functions |
| e8f5d4bbf96855f7f4ad0ff4d67efe5e | (ssh_config.dat) | 2025-03-24 01:45:24 utc | 2025-03-19 18:18:30 utc | Malware in compressed packages, DLL backdoors |
| 920f408fdc80c5697739cda9cf9a4ca7 | (BizboxAMessenger.exe) | 2025-03-21 06:57:40 utc | - | Dropper written in Go for releasing backdoors |
| d37569b238ec6c073a06a28bc665072c | (IconCache.mdf) | 2025-03-27 10:02:06 utc | 2025-03-20 04:52:44 utc | DLL backdoor (newer version) with embedded data extracted from the Dropper above |
Dropper
Sandbox Analysis
Upload the Dropper sample to the Qi'anxin Intelligence Sandbox (https://sandbox.ti.qianxin.com/sandbox/page) to obtain preliminary information on this sample.
| - | - |
|---|---|
| Link to Qi'anxin Intelligence Sandbox Report | https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=AZXw93rcONZSmF3-9K4E |
| Sample file name | BizboxAMessenger.exe |
| Sample MD5 | 920f408fdc80c5697739cda9cf9a4ca7 |
| Sample Type | PE64 EXE |
| sample size | 8.28 MB (8683520 bytes) |
Sandbox gives a 10-point malice score based on an intelligent composite judgment of malicious behavior.
The Behavioral Anomalies section shows some suspicious behavior of the sample, such as renaming the sample path followed by a "~ ".
Create the executables BMSGTray.exe and msbuild.bat.
Creating suspicious processes, including starting BMSGTray.exe and msbuild.bat, calling IconCache.mdf using regsvr32.exe, and deleting the sample file itself.
The host behavior "Process" information shows the relationship between these suspicious processes. Starting BMSGTray.exe, IconCache.mdf and deleting renamed sample files are executed by the sample process, while starting msbuild.bat is done by the IconCache.mdf process.
Malicious code details
After the sample is started, the main function main_main first calls main_ChangeCurrentExe to rename the sample file itself to a path with "~ ", to facilitate the subsequent extraction of the released file data, as well as the execution of the self-deletion operation.
Releasing BMSGTray.exe and launching it, the BMSGTray.exe file data is at the Dropper disk file offset location 0x149AE0 with a data length of 0x6F0110.The executable carries a digital signature from the software company, BlueMoonSoft, with a signature date of February 21, 2025.The BMSGTray.exe file is at the location of 0x149AE0 with a data length of 0x6F0110.The executable carries a digital signature from the software company, BlueMoonSoft.
The same way to release the backdoor "%AppData%\IconCache.mdf", the backdoor data in the Dropper disk file offset location 0x111CE0, the length of the data is 0x37E00. In addition, Dropper will also be in the back of the IconCache.mdf additional length of the random content of the random data. Then call regsvr32.exe to start the release of IconCache.mdf. Without adding random data in the case of IconCache.mdf MD5 d37569b238ec6c073a06a28bc665072c.
Finally, call main_SelfDelete1 to delete the renamed sample file.
Backdoor
ssh_config.dat (MD5: e8f5d4bbf96855f7f4ad0ff4d67efe5e) and IconCache.mdf (MD5: d37569b238ec6c073a06a28bc665072c) are the same backdoor program, and both of them have the same C&C communication mode. From the compilation time, the latter is a newer version, while the latter adds runtime environment checking, persistence setting and self-deletion operation on the basis of the former.
C&C Communications
Take ssh_config.dat as an example to illustrate the communication process between the backdoor and the C&C server. the URL of the C&C server is hxxp://sudifo.ftp.sh/index.php, and sudifo.ftp.sh is the dynamic domain under ftp.sh. The backdoor sends the data using a POST request in the following format. :
a[9-byte random string] = [field 1] & b[9-byte random string]= [field 2] & c[9-byte random string]= [field 3]
The meaning of the 3 fields of POST data is as follows:
| - | - |
|---|---|
| Field number | explanation |
| 1 | Request type, there are 3 types, "1", "2", "3", the value of field 1 is the base64 encoding of the request type string. |
| 2 | Victim ID in the format "A-[8-byte random string]" or "U-[8-byte random string]", the value of field 2 is the base64 encoding of the victim ID string. |
| 3 | Data returned to the C&C server, field 3 may have a null value. |
The victim ID consists of a prefix and a random string. If the current user is in authorized mode, the prefix is "A-" (i.e. admin), otherwise it is "U-" (i.e. user). The random string is initially generated and saved in the optional data stream "DDID" of the backdoor DLL file for easy access.
Each of the 3 request types between the backdoor and the C&C server corresponds to the following functions.
(1) Establishment of connection
Request type "1" is used to establish a connection with the server, if the returned response is not "live", it will sleep for 60 seconds and try to connect to the server again.
(2) Return of collected data
Request type "2" returns the collected data to the server. After the connection is established, the backdoor executes the commands "systeminfo" and "ipconfig /all" to collect device and network information, and then sends the results back to the C&C server.
(3) Acquisition of subsequent loads
Request type "3" obtains the RC4 encrypted subsequent DLL load data from the server. If the server responds with "fail", the load could not be retrieved for the time being. Otherwise, try to decrypt the received response data and load it in memory, then call the specified export function "hello".
Subsequently added features
IconCache.mdf compared to ssh_config.dat adds runtime environment checking, setting persistence, and self-deleting operations.
The runtime environment check is achieved by comparing whether the hostname of the infected device is in the built-in target list. If it is in the list, only then it continues to set up persistence and C&C communication, otherwise it simply self-deletes to remove backdoor traces.
The presence of DANAM in the target list of the hostname may point to DANAM, a Korean company. YDJUNG and GRKIM appear to be initials of people's names, and SECURITY, COMPUTERROOM, and 5F-ROOM imply that the attacker is also focusing on a specific institutional sector.
Persistence is achieved by creating a service called NewsUpdate via sc.exe.
Release the "%temp%\msbuild.bat" script to delete the backdoor file when it is deleted, and then call TerminateProcess to end the process after the file is deleted.
Other malware
The backdoor sshd_conf.dat is located in a zip archive with two other pieces of malware. sshdc.exe requires the passing of two parameters, session id and command line, and functions by executing arbitrary commands in the specified user session. The malware first tries to run the command in high mandatory integrity level ("S-1-16-12288") mode, and if it fails, then executes the command in normal mode.
sshd_conf.dat creates 3 threads that perform keylogging, clipboard monitoring, and screenshot operations.
Traceability links
This captured sample has similar characteristics to the Kimsuky attack action [1, 2] that we disclosed previously.
(1) The sample is similar in format to the POST request data sent when communicating with the C&C server, and the field names use randomly generated strings.
(2) The sample likewise decides whether to take further action based on the response obtained from the C&C server.
(3) A self-deletion script named "%temp%\msbuild.bat" was also used in the previous Kimsuky attack, and the content of the script is consistent.
(4) Setting up persistence is done in the same way, both using similarly formatted sc commands.
On the other hand, the C&C URL for the backdoor IconCache.mdf is hxxp://gtfydu.surfnet.ca/index.php using dynamic domain names. The resolving IP (104.37.184.39) is also bound to multiple Korean dynamic domain names near the active time of the domain gtfydu.surfnet.ca, and Kimsuky's historical attack campaigns have frequently featured such Korean dynamic domain names.
| - | - |
|---|---|
| Other domains recently bound to the same IP | |
| auth.worksmobile.r-e.kr | |
| secure.navdomain.n-e.kr | |
| login.hiwork.o-r.kr | |
| auth.linkedin.r-e.kr |
With the presence of the words work and linkedin in the domain name, we hypothesize that these dynamic domain names may be used by attackers to execute phishing attack campaigns using work and recruitment as bait.
Summary
The discovered malware continues the attack characteristics of Kimsuky's organization: Dropper releases legitimate files with signatures for camouflage, malicious files add random data to avoid unique file hash, use regsvr32.exe to launch DLL samples, and self-deletion under specific conditions. Both backdoor samples use dynamic domain names as C&C servers, and the malware for further actions is obtained from the server and loaded in memory, while the new version of the backdoor, in order to increase the covertness of the attack, executes the core malicious code only on machines with specific hostnames, which also reflects the highly targeted nature of the attack, and the attacker should have used some means to obtain information to create a target screening list in the early stages. The attacker should have used some means to obtain information in the early stage to create a target screening list.
Protection recommendations
Qi'anxin Threat Intelligence Center reminds users to beware of phishing attacks, do not open links from unknown sources shared on social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from unofficial sources. do timely backup of important files and update and install patches.
If you need to run and install applications of unknown origin, you can first use the Qi'anxin Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to make a judgment. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.
Currently, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including the Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness, already support the accurate detection of such attacks.
IOC
MD5
6efa53232350a76a52c7050b548ffe83
a52e10dd48d64372d94f87d8eb7ed8bf
0f06fe847a43108a211233a9c7aa9780
e8f5d4bbf96855f7f4ad0ff4d67efe5e
920f408fdc80c5697739cda9cf9a4ca7
d37569b238ec6c073a06a28bc665072c
C&C
sudifo.ftp.sh
gtfydu.surfnet.ca
auth.worksmobile.r-e.kr
secure.navdomain.n-e.kr
login.hiwork.o-r.kr
auth.linkedin.r-e.kr
URL
hxxp://sudifo.ftp.sh/index.php
hxxp://gtfydu.surfnet.ca/index.php
Reference links
[1]. https://ti.qianxin.com/blog/articles/Undercover-Kimsuky-APT-Q-2-Espionage-Campaign-Disguised-as-Software-Installers-CN/
[2]. https://mp.weixin.qq.com/s/7vnxz8dYmWf7Z8Cmaa8sVg