Kimsuky Hackers Deploy Custom RDP Wrapper for Remote Access

The North Korean cyber-espionage group known as Kimsuky has been observed leveraging a custom-built RDP Wrapper alongside proxy tools to maintain direct access to infected machines in recent cyberattacks. This represents a strategic shift in Kimsuky's tactics, as reported in recent findings.

Evolving Tactics in Kimsuky's Cyber Operations

Previously, Kimsuky relied primarily on well-known backdoors such as PebbleDash to establish persistent access to compromised networks. However, the latest discovery highlights a diversification in Kimsuky's arsenal, utilizing tailored remote access tools that enhance stealth and persistence while reducing the risk of detection. The custom RDP Wrapper enables the attackers to establish an inconspicuous remote connection, avoiding the scrutiny that traditional malware backdoors might attract.

Kimsuky's Latest Attack Chain

The infection process begins with a spear-phishing campaign targeting specific individuals and organizations. These phishing emails contain malicious shortcut (.LNK) file attachments disguised as legitimate PDF or Word documents. The attackers tailor these emails with the recipient's name and correct company details, indicating thorough reconnaissance before execution.

Initial Compromise

• Once the victim opens the .LNK file, it executes PowerShell or Mshta commands to retrieve additional payloads from an external server. These include:
• PebbleDash: A known Kimsuky backdoor that provides initial control over the system.
• Custom RDP Wrapper: A modified version of an open-source tool that facilitates persistent RDP access while bypassing security measures.
• Proxy Tools: These enable the attackers to circumvent private network restrictions and access the system remotely, even when direct RDP connections are blocked.

Understanding the Custom RDP Wrapper

The Remote Desktop Protocol (RDP) is a common method for remote system management and control. RDP Wrapper is a legitimate open-source tool designed to enable RDP functionality on Windows versions that do not natively support it, such as Windows Home editions. It acts as an intermediary layer that allows remote desktop connections without modifying system files.

Kimsuky has modified this tool to enhance its capabilities and evade detection. By altering export functions, the attackers can bypass antivirus detection mechanisms, likely enabling their version to evade signature-based security measures. This customization makes it more challenging for security tools to recognize the malicious activity associated with the tool.

Stealth and Persistence: The Key Benefits of Custom RDP Wrapper

The primary advantage of using a custom RDP Wrapper is its ability to remain undetected for extended periods. Since RDP connections are typically viewed as legitimate system activities, security solutions may not flag them as malicious. This allows Kimsuky to maintain a prolonged presence in compromised networks.

Furthermore, GUI-based remote control via RDP offers several advantages over traditional malware shell access, including:

User-Friendly Interaction: Unlike command-line interfaces, RDP provides a graphical environment, making navigation and data exfiltration easier.

Firewall and NAT Evasion: Through relay mechanisms, the attackers can bypass firewalls and Network Address Translation (NAT) restrictions, ensuring remote access even in secured environments.

Post-Compromise Activities

• After securing their foothold, Kimsuky deploys secondary payloads to maximize their espionage and data exfiltration capabilities. These include:
• Keyloggers: These record keystrokes and save the data in system directories, allowing attackers to capture sensitive information such as login credentials.
• Infostealers (forceCopy): Designed to extract credentials stored in web browsers, these tools provide further access to victim accounts.
• PowerShell-Based ReflectiveLoader: This enables in-memory payload execution, reducing the chances of detection by traditional file-based security solutions.

Implications and Countermeasures

Kimsuky's continued evolution showcases their adaptability in the ever-changing cybersecurity landscape. By shifting to stealthier remote access techniques, they can extend their dwell times within networks, increasing their chances of gathering valuable intelligence.

To mitigate the risks posed by such advanced cyber threats, organizations should adopt a multi-layered security approach:

Email Security and Awareness: Educate employees about spear-phishing tactics and deploy advanced email filtering solutions to detect malicious attachments.

Endpoint Protection: Utilize next-generation antivirus and Endpoint Detection and Response (EDR) solutions to detect and block suspicious activities.

Network Segmentation: Restrict RDP access to specific IP addresses and implement multi-factor authentication (MFA) for remote access.

Threat Intelligence Monitoring: Continuously monitor for emerging threats and Indicators of Compromise (IOCs) related to Kimsuky's operations.

Conclusion

Kimsuky remains one of North Korea's most prolific cyber-espionage groups, constantly refining their techniques to evade detection. Their latest campaign, involving a custom RDP Wrapper, highlights their strategic focus on stealth and persistence in compromised networks. Organizations must remain vigilant and enhance their cybersecurity posture to defend against such evolving threats. By implementing proactive defense measures, businesses can reduce their exposure to cyber-espionage campaigns orchestrated by sophisticated threat actors like Kimsuky.