The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea.
Gen Digital, which disclosed details of the activity, did not reveal any details on when the incident occurred, but noted that the phishing email contained a ZIP file ("250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip"), which masqueraded as a VPN invoice to distribute malware capable of file transfer, capturing screenshots, and executing arbitrary commands.
"The chain has three steps: a small dropper, a loader called MemLoad, and the final backdoor, named 'HttpTroy,'" security researcher Alexandru-Cristian Bardaș said.
Present within the ZIP archive is a SCR file of the same name, opening which triggered the execution chain, starting with a Golang binary containing three embedded files, including a decoy PDF document that's displayed to the victim to avoid raising any suspicion.
Also launched simultaneously in the background is MemLoad, which is responsible for setting up persistence on the host by means of a scheduled task named "AhnlabUpdate," an attempt to impersonate AhnLab, a South Korean cybersecurity company, and decrypt and execute the DLL backdoor ("HttpTroy").
The implant allows the attackers to gain complete control over the compromised system, enabling file upload/download, screenshot capture, command execution with elevated privileges, in-memory loading of executables, reverse shell, process termination, and trace removal. It communicates with the command-and-control (C2) server ("load.auraria[.]org") over HTTP POST requests.
"HttpTroy employs multiple layers of obfuscation to hinder analysis and detection," Bardaș explained. "API calls are concealed using custom hashing techniques, while strings are obfuscated through a combination of XOR operations and SIMD instructions. Notably, the backdoor avoids reusing API hashes and strings. Instead, it dynamically reconstructs them during runtime using varied combinations of arithmetic and logical operations, further complicating static analysis."
The findings come as the cybersecurity vendor also detailed a Lazarus Group attack that led to the deployment of Comebacker and an upgraded version of its BLINDINGCAN (aka AIRDRY or ZetaNile) remote access trojan. The attack targeted two victims in Canada and was detected in the "middle of the attack chain," it added.
While the exact initial access vector used in the attack is not known, it's assessed to be a phishing email based on the absence of any known security vulnerabilities that could have been exploited to gain a foothold.
Two different variants of Comebacker – one as a DLL and another as an EXE – have been put to use, with the former launched via a Windows service and the latter through "cmd.exe." Irrespective of the method used to execute them, the end goal of the malware is the same: to decrypt an embedded payload (i.e., BLINDINGCAN) and deploy it as a service.
BLINDINGCAN is designed to establish a connection with a remote C2 server ("tronracing[.]com") and await further instructions that allow it to -
- Upload/download files
- Delete files
- Alter a file's attributes to mimic another file
- Recursively enumerate all files and sub-directories for a specified path
- Gather data about files across the entire file system
- Collect system metadata
- List running processes
- Run a command-line using CreateProcessW
- Execute binaries directly in memory
- Execute commands using "cmd.exe"
- Terminate a specific process by passing a process ID as input
- Take screenshots
- Take pictures from the available video capture devices
- Update configuration
- Change current working directory
- Delete itself and remove all traces of malicious activity
"Kimsuky and Lazarus continue to sharpen their tools, showing that DPRK-linked actors aren't just maintaining their arsenals, they're reinventing them," Gen Digital said. "These campaigns demonstrate a well-structured and multi-stage infection chain, leveraging obfuscated payloads and stealthy persistence mechanisms."
"From the initial stages to the final backdoors, each component is designed to evade detection, maintain access and provide extensive control over the compromised system. The use of custom encryption, dynamic API resolution and COM-based task registration/services exploitation highlights the groups' continued evolution and technical sophistication."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.