North Korean Hacker Groups Kimsuky and Lazarus Deploy Advanced Backdoor Tools
Recent cybersecurity analyses have unveiled that North Korean state-sponsored hacker groups, Kimsuky and Lazarus, have developed and deployed sophisticated malware tools designed to establish persistent backdoor access and remote control over compromised systems. These advancements highlight the evolving capabilities of these groups in conducting cyber espionage and attacks.
Kimsuky’s Deployment of HttpTroy
Kimsuky, known for its espionage campaigns, has introduced a new malware tool named HttpTroy. This tool was identified in an attack targeting a South Korean entity, initiated through a deceptive ZIP archive disguised as a VPN invoice from a legitimate Korean security company. The archive contained a malicious screensaver file that, when executed, displayed a decoy PDF while simultaneously initiating the infection process.
The infection chain comprises three stages:
1. Initial Dropper: A lightweight GO-based executable containing three embedded files encrypted using XOR operations.
2. Memload_V3: This stage creates scheduled tasks mimicking legitimate antivirus updates, executing every minute to maintain persistence.
3. HttpTroy Backdoor: The final payload provides attackers with comprehensive control capabilities, including file manipulation, screenshot capture, command execution with elevated privileges, and reverse shell deployment.
HttpTroy communicates exclusively through HTTP POST requests, implementing two-layer obfuscation consisting of XOR encryption followed by Base64 encoding. This communication protocol allows attackers to receive commands formatted as simple command parameter structures while reporting execution status through specific identifiers.
Lazarus Group’s Enhanced BLINDINGCAN Variant
The Lazarus Group, another North Korean state-sponsored entity, has introduced an enhanced variant of its BLINDINGCAN malware. This variant was observed in attacks targeting two Canadian entities, incorporating advanced techniques for concealing payload delivery and establishing service-based persistence mechanisms that evade traditional endpoint detection approaches.
The attack sequence involves:
1. Initial Compromise: Utilizing spear-phishing emails containing malicious attachments or links to initiate the infection process.
2. Payload Delivery: Deploying the enhanced BLINDINGCAN variant, which includes sophisticated evasion techniques and the ability to establish persistent backdoor access.
3. Command and Control: Maintaining communication with attacker-controlled servers to receive commands and exfiltrate data.
The enhanced BLINDINGCAN variant demonstrates Lazarus Group’s continued investment in developing advanced malware capable of evading detection and maintaining long-term access to compromised systems.
Implications and Recommendations
The deployment of HttpTroy by Kimsuky and the enhanced BLINDINGCAN variant by Lazarus Group underscores the increasing sophistication of state-sponsored cyber threats. Organizations are advised to implement comprehensive cybersecurity measures, including:
– User Education: Training employees to recognize and report phishing attempts and other social engineering tactics.
– Advanced Threat Detection: Deploying endpoint detection and response (EDR) solutions capable of identifying and mitigating advanced malware threats.
– Regular Updates: Ensuring all systems and software are up-to-date with the latest security patches to mitigate vulnerabilities exploited by such malware.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber threats posed by groups like Kimsuky and Lazarus.
