Source: Skorzewiak via Shutterstock

In its attempts to stay ahead of defenders, North Korean threat group Kimsuky has deployed an updated tool against South Korean users, aiming to make its attack programs harder to detect and analyze, threat researchers say.

The tool, dubbed HttpTroy, is a backdoor that aims to give its controllers full access to an infected system, including moving files, taking screenshots, and executing commands, researchers from cybersecurity firm Gen stated in an analysis published last week. The backdoor is the final step of an attack chain targeting South Korean users that includes a small dropper, a subsequent loader known as MemLoad, and the HttpTroy backdoor.

The attack — which consisted of a zip archive containing a Microsoft Windows screensaver (.scr) file — executes when the user opens the file, displaying a PDF invoice written in Korean and loading the attack chain until the backdoor program is running, says Michal Salát, threat intelligence director at Gen, a cybersecurity software and services company.

HttpTroy “supports a wide range of remote actions and increases stealth by encrypting its communications, obfuscating payloads, and executing code in memory,” he says. “As a high-tier APT, they frequently rotate and rebuild payloads, so HttpTroy appears to be another effort by Kimsuky to evade detection.”

Related:Stealth Falcon APT Exploits Microsoft RCE Zero-Day in Mideast

North Korean state-sponsored groups have been using a variety of techniques to target governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States in Europe. A group thought to be Kimsuky targeted diplomatic missions in South Korea this summer using a password-protected zip file as the delivery vehicle for the attack. In September, the group used AI-generated deepfake photos to create military IDs as part of an attack on journalists, human-rights activists, and researchers.

Better Obfuscation Through Legitimate Services

While effective, HttpTroy is a straightforward improvement of the tools already used by the Kimsuky threat group, says Peter Kálnai, a senior malware researcher with cybersecurity firm ESET. Kimsuky — and another infamous North Korean group, Lazarus — are focused on making their tools harder to detect and analyze, he says.

“With their existing anti-analysis features ... the analysis of their payloads is already difficult,” Kálnai says, adding that Kimsuky has also made use of commercial encryption products as well. “This layered approach significantly increases the complexity and time required for reverse engineering the malware.”

Related:Android Malware Mutes Alerts, Drains Crypto Wallets

Both the Kimsuky and Lazarus groups’ attack chains heavily rely obfuscation and anti-analysis techniques to sneak by defenses and make reverse engineering more difficult, says Aaron Beardslee, manager of threat research at cybersecurity platform provider Securonix. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain to slow down researchers. Other techniques, such as memory-resident execution and dynamic API resolution, help the malicious code avoid detection, he says.

Sometimes, they think outside the box, Beardslee says.

“Adversaries are always going to be searching for new ways to blend in and adapt to the defensive tooling employed by their targets,” he says. “The most nefarious I’ve seen to date has been defense evasion in the actual hiring process of a company. Dozens of Fortune 100 organizations have unknowingly hired IT workers from North Korea.”

The Game is Afoot

Companies should make sure that their anti-malware solutions have in-memory scanning to detect payloads that are directly loaded into memory and have no footprint on the disk. In addition, threat intelligence can help defenders keep up with attacker methods, especially for the most frequently targeted sectors, such as cryptocurrency, financial systems, aerospace, defense, South Korean government, and some healthcare-related entities, says ESET’s Kálnai.

Related:‘TruffleNet’ Attack Wields Stolen Credentials Against AWS

Most of the attacks are straightforward, but simple is not the same as static; the modularity of malware — such as the ThreatNeedle backdoor used by the Lazarus group — allow for additional attack techniques to be easily added, Kálnai said.

“Its capabilities are designed to be extensible through the dynamic loading of additional DLLs, which effectively function as a plug-in architecture,” he says. “This design allows the threat actor to quickly augment functionality and tailor the final payload to the specific target environment without having to significantly update the core RAT binary.”

Defenders are not always destined to fall behind attackers. Even state-sponsored groups tire of the rat race, often choosing stability and simplicity over continuous feature development, says Kálnai, who noted that much of the core set of capabilities used both by Kimsuky and Lazarus changes slowly.

“We believe these minor changes underscore a key operational priority for the attackers,” he says. “Stability and operational simplicity are more important than continuous feature development for their flagship tools,” he says.

About the Author

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.