Yoroi-ZLab: North Korea’s Kimsuki evolves its TTPs, exploiting a malware compatible with the previous campaigns

Recently there has been a significant increase in state-sponsored operations carried out by APT cyber threat actors worldwide. Cybaze-Yoroi ZLab decided to study in depth a recent threat attributed to a North Korea’s group dubbed Kimsuky. Unlike other APT groups using long and complex infection chains, the Pyongyang’s hackers leverage a shorter attack chain, but at the same time, it is very effective in achieving a low detection rate. Furthermore, the researchers discovered a new malware implant compatible with the previous campaigns of Kimsuky. According to the ESET, the initial dropper contains two malicious resources embedding the malicious DLLs, however, in our sample there aren’t. Despite these little differences, ZLab can affirm with good confidence that the Threat Actor is Kimsuky due to strong similarities with the TTPs.

How the APT infection works according to the cyber security experts

According to the cyber security experts, the infection starts with a classic executable file (scr extension), used by Windows to identify Screensaver artifacts. Upon execution, the malware writes a file named “<random_name>.tmp.db” inside the “%AppData%\Local\Temp” path through the usage of the Microsoft Utility “regsvr32.exe”. Despite the extension, it’s a well formed DLL that acts as the second stage of the malware infection. The dll is then copied into the folder “%AppData%\Roaming\Microsoft\Windows\Defender\” and it is renamed into “AutoUpdate.dll”. The library then gains persistence by setting a specific registry key. The name and the path used by the attacker is absolutely tricky, because they reference to Windows Defender. Furthermore, in the folder “%AppData%\Local\Temp” there is another temporary file created and immediately removed dubbed “<random_name>.tmp.bat”, used to delete the initial artifact (scr) and file itself.

Kimsuki uses a legit document to hide malicious operation and avoid raising suspicion

Kimsuki, in order to hide malicious operation and avoid raising suspicion, created a legit document in the same folder containing the “.scr” file (“이력서 양식.hwp”). Translating its name from Korean to English language, is possible to obtain the “CV Form” string. It contains a CV form with empty fields. An interesting behaviour of the North Korea’s hackers is the “explorer.exe” injection performed by the “AutoUpdate.dll” in order to avoid AVs detection. Digging in the malicious code, it is possible to see the methods used to perform this operation. First of all, the malware sets the right privileges. Then, it’s able to proceed with the injection. It writes the path to its malicious DLL in the virtual address space of another process through the “VirtualAllocEx” function. In this case, the target process is “explorer.exe”, to ensure the remote process loads it by creating a remote thread inside.