The Kimsuky operation leveraged a phishing email containing a ZIP file masquerading as a VPN invoice, according to analysis by Gen Digital. Inside the archive was an SCR file whose execution triggered a three-step chain: a small dropper, the MemLoad loader, and the final HttpTroy backdoor. To avoid immediate suspicion, a decoy PDF was displayed to the victim while the infection proceeded in the background. MemLoad ensured persistence by creating a scheduled task named “AhnlabUpdate,” mimicking a legitimate South Korean cybersecurity company. This loader then decrypted and executed the final DLL backdoor.
The sophisticated HttpTroy implant grants attackers complete control over the compromised system. Its capabilities include file transfers, screenshot capture, arbitrary command execution with elevated privileges, in-memory loading of executables, and reverse shell functionality. It communicates with its command-and-control (C2) server over standard HTTP POST requests. Analysis shows the backdoor employs multiple layers of obfuscation to defeat detection; API calls are concealed using custom hashing, and strings are dynamically reconstructed during runtime through varying arithmetic and logical operations, complicating static analysis significantly.
Separately, the Lazarus Group attack is assessed to have likely used a phishing email to gain initial access, though the exact vector is unknown. The attack involved deploying two different variants of the Comebacker malware—one as a DLL launched via a Windows service and the other as an EXE launched through cmd.exe. Regardless of the initial method, the goal of both variants was the same: to decrypt an embedded payload, which was the advanced BLINDINGCAN Remote Access Trojan (RAT), and install it as a service.
The upgraded BLINDINGCAN RAT connects to a remote C2 server, awaiting instructions for a wide range of hostile actions. These powerful capabilities include extensive file system manipulation (uploading, downloading, deleting, and enumerating files), gathering system metadata, listing running processes, executing commands via cmd.exe, and running binaries directly in memory. The RAT is also equipped for surveillance, allowing for screenshots and the capture of images from available video devices, alongside a self-destruct function to remove all traces of its activity.
These recent campaigns clearly demonstrate that North Korean-linked threat actors are continually advancing their arsenals. Both Kimsuky and Lazarus utilize highly structured, multi-stage infection chains, relying on heavily obfuscated payloads and stealthy persistence mechanisms. Their use of custom encryption, dynamic API resolution, and exploitation of Windows features for persistence underscores the groups’ increasing technical sophistication and commitment to evading detection throughout the infection life cycle.
Reference:
