HttpTroy Backdoor Masquerades as VPN Invoice in Targeted South Korean Cyberattack
In a recent cybersecurity incident, the North Korean-affiliated threat group known as Kimsuky has been identified deploying a novel backdoor named HttpTroy. This sophisticated malware was disseminated through a spear-phishing campaign aimed at a specific target in South Korea.
The attack commenced with a deceptive email containing a ZIP file titled 250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip, which translates to 250908_A_HK Innocean_SecuwaySSL VPN Manager U100S 100user_quotation.zip. This file masqueraded as a legitimate VPN invoice to lure the recipient into opening it.
Upon extraction, the ZIP archive revealed a screensaver file (SCR) bearing the same name. Executing this file initiated a multi-stage infection process:
1. Dropper Execution: The SCR file acted as a dropper, launching a Golang binary embedded with three components:
– A decoy PDF document displayed to the user to avert suspicion.
– A loader named MemLoad.
– The final payload, the HttpTroy backdoor.
2. Loader Activation: MemLoad was responsible for establishing persistence on the infected system by creating a scheduled task named AhnlabUpdate, an attempt to impersonate AhnLab, a reputable South Korean cybersecurity firm. This task facilitated the decryption and execution of the HttpTroy backdoor.
3. Backdoor Deployment: Once activated, HttpTroy granted the attackers comprehensive control over the compromised system, enabling them to:
– Upload and download files.
– Capture screenshots.
– Execute commands with elevated privileges.
– Load executables directly into memory.
– Establish a reverse shell.
– Terminate processes.
– Erase traces of malicious activity.
Communication between HttpTroy and its command-and-control (C2) server, located at load.auraria[.]org, was conducted via HTTP POST requests.
To evade detection and complicate analysis, HttpTroy employed multiple obfuscation techniques:
– API Concealment: Utilized custom hashing methods to obscure API calls.
– String Obfuscation: Applied a combination of XOR operations and SIMD instructions to hide strings.
– Dynamic Reconstruction: Avoided reusing API hashes and strings by dynamically reconstructing them at runtime using varied arithmetic and logical operations.
This incident underscores the evolving tactics of state-sponsored cyber actors like Kimsuky, who continuously refine their methods to infiltrate targeted systems. The use of deceptive emails, sophisticated multi-stage payloads, and advanced obfuscation techniques highlights the need for heightened vigilance and robust cybersecurity measures.
