A North Korean-linked actor known as Kimsuky distributed a previously undocumented backdoor codenamed HttpTroy as part of a spear-phishing attack targeting a single victim in South Korea.
Gen Digital, which revealed the details of the activity, did not say when the incident occurred, but the phishing email contained a ZIP file (“250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip”) that was used to create a VPN for distributing malware that can transfer files, capture screenshots, and execute. I pointed out that it was disguised as an invoice. any command.
“There are three steps in the chain: a small dropper, a loader called MemLoad, and a final backdoor called ‘HttpTroy,'” said security researcher Alexandre Cristian Bardas.
An SCR file with the same name exists within the ZIP archive. Opening this file will trigger an execution chain. The initial Golang binary contains three embedded files, including a decoy PDF document that is displayed to the victim to avoid any suspicions.
MemLoad, which is also started in the background at the same time, is responsible for setting up persistence on the host through a scheduled task called “AhnlabUpdate.” This is an attempt to decrypt and execute a DLL backdoor (“HttpTroy”) impersonating AhnLab, a South Korean cybersecurity company.
This implant gives an attacker complete control over a compromised system, allowing them to upload/download files, capture screenshots, run commands with elevated privileges, load executables in memory, reverse shell, terminate processes, and remove traces. Communicate with the command and control (C2) server (‘load.auraria’).[.]org”) via an HTTP POST request.
“HttpTroy employs multiple layers of obfuscation to hinder analysis and detection,” Bardas explained. “API calls are hidden using custom hashing techniques, and strings are obfuscated by a combination of XOR operations and SIMD instructions. In particular, the backdoor avoids reusing API hashes and strings. Instead, it dynamically reconstructs them at runtime using various combinations of arithmetic and logical operations, further complicating static analysis.”
The findings come as the cybersecurity vendor also detailed the Lazarus Group’s attacks that led to the deployment of an upgraded version of Comebacker and its BLINDINGCAN (also known as AIRDRY or ZetaNile) remote access Trojan. It added that the attack targeted two victims in Canada and was detected “midway through the attack chain.”
Although the exact initial access vector used in the attack is unknown, it has been assessed as a phishing email based on the lack of known security vulnerabilities that could have been exploited to gain a foothold.
Comebacker uses two different variants (one as a DLL and one as an EXE), the former is launched through Windows Services and the latter is launched through ‘cmd.exe’. Regardless of the method used for execution, the end goal of the malware is the same. That is, decrypting the embedded payload (BLINDINGCAN) and deploying it as a service.
BLINDINGCAN is designed to establish a connection with a remote C2 server (‘tronracing’).[.]com”) and wait for further instructions to enable it –
Upload/download files Delete files Modify file attributes to imitate another file Recursively enumerate all files and subdirectories in a specified path Files Collect data about files system-wide Collect system metadata List running processes Execute a command line using CreateProcessW Run a binary directly in memory Execute a command using “cmd.exe” Terminate a specific process by passing the process ID as input Take a screenshot Take photos from available video capture devices Update configuration Change current working directory Delete itself and remove all traces of malicious activity
“Kimsky and Lazarus continue to hone their tools, demonstrating that actors associated with North Korea are not only maintaining their weapons, but reinventing them,” GenDigital said. “These campaigns exhibit well-structured, multi-step infection chains that leverage obfuscated payloads and stealth persistence mechanisms.”
“From the initial stages to the final backdoor, each component is designed to evade detection, maintain access, and provide broad control over compromised systems. The use of custom encryption, dynamic API resolution, and leveraging COM-based task registration/services highlights the group’s continued evolution and sophistication of its technology.”
Source link
