The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access infected machines.
This is a sign of shifting tactics for Kimsuky, according to AhnLab SEcurity Intelligence Center (ASEC), who discovered the campaign.
ASEC says the North Korean hackers now use a diverse set of customized remote access tools instead of relying solely on noisy backdoors like PebbleDash, which is still used.
Kimsuky’s latest attack chain
The latest infection chain starts with a spear-phishing email containing a malicious shortcut (.LNK) file attachment disguised as a PDF or Word document.
The emails contain the recipient’s name and correct company names, suggesting that Kimsuky performed reconnaissance before the attack.
Opening the .LNK file triggers PowerShell or Mshta to retrieve additional payloads from an external server, including:
- PebbleDash, a known Kimsuky backdoor providing initial system control.
- A modified version of the open-source RDP Wrapper tool, enabling persistent RDP access and security measures bypass.
- Proxy tools for bypassing private network restrictions, allowing attackers to access the system even when direct RDP connections are blocked.
Custom RDP Wrapper
RDP Wrapper is a legitimate open-source tool designed to enable Remote Desktop Protocol (RDP) functionality on Windows versions that do not natively support it, like Windows Home.
It acts as a middle layer, allowing users to enable remote desktop connections without modifying system files.
Kimsuky’s version altered export functions to bypass antivirus detection and likely differentiates its behavior enough to evade signature-based detection.
Source: ASEC
The main advantage of using a custom RDP Wrapper is detection evasion, as RDP connections are often treated as legitimate, allowing Kimsuky to stay under the radar for longer.
Moreover, it provides a more comfortable GUI-based remote control, compared to shell access via malware, and can bypass firewalls or NAT restrictions via relays, allowing RDP access from outside.
ASEC reports that once Kimsuky secures their foothold on the network, they drop secondary payloads.
These include a keylogger that captures keystrokes and stores them in text files in system directories, an infostealer (forceCopy) that extracts credentials saved on web browsers, and a PowerShell-based ReflectiveLoader that enables in-memory payload execution.
Overall, Kimsuky is a persistent and evolving threat and one of North Korea’s most prolific cyber-espionage threat groups devoted to collecting intelligence.
ASEC’s latest findings indicate that the threat actors switch to stealthier remote access methods for prolonged dwell times in compromised networks.