Table of Contents
This report is a summarized version of “Analysis Report of Kimsuky Group’s HappyDoor Malware” introduced in AhnLab Threat Intelligence Platform (TIP), containing key information for analyzing breaches. The report in AhnLab TIP includes details on encoding & encryption methods, packet structure, and more in addition to the characteristics and features of the malware. In particular, it also provides an IDA plugin and a backdoor test server developed by AhnLab for the convenience of analysts. To note, the masked information is available in AhnLab TIP.
Overview
Kimsuky’s HappyDoor malware is not commonly known to the world. AhnLab first collected its sample in 2021, and continued monitoring revealed that it had been used up to the present day in 2024 in data breaches. Investigation results hint that the threat actor has been patching the malware continuously. As shown in the image below, the version (4.2) and the numbers assumed to be the creation date (Jan 12 2024) are hard-coded into the version information, and the latest sample also displays the malware’s name (happy).
Version information in the binary
This “happy” string is also found in the Export DLL name and the code’s debug string, as shown below. Given the information, AhnLab SEcurity intelligence Center (ASEC) has dubbed this malware “HappyDoor”.
Distribution Method and Changes
1. Distribution Method
The Kimsuky group has distributed various malware strains via spear phishing email attacks in the past and is continuing to do so to this day. Some of the major cases include the installation of AppleSeed and AlphaSeed malware, and their method of distribution was introduced in a previous report (Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)) and also in the 2023 threat trend report (Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed). Recently, a detailed report was published in AhnLab TIP (Kimsuky Group’s Bait Files Used to Distribute AppleSeed & HappyDoor Backdoors (December 2023 – April 2024)).
HappyDoor in this case is also being distributed via an email attachment just like the previous method of distribution. This attachment file contains a compressed file, and the latter carries a JScript or a dropper (executable file). Once that is run, HappyDoor is created and executed along with legitimate bait files. The following is an example of Jscript code (AMSI) decrypted when the script is executed:
| …(omitted)… #Creating and executing the legitimate bait file _Stream.SaveToFile(“C:Windows..ProgramData[Legitimate bait file]”, “2”); IWshShell3.Run(“C:Windows..ProgramData[Legitimate bait file]”, “”); …(omitted)… …(omitted)… |
Example of a decrypted JScript code
The execution path and execution argument (/i) of HappyDoor are as follows: HappyDoor has a unique characteristic, which is that its execution arguments operate with an asterisk (*) added and the operations are divided based on the identity of the arguments. The following is a list of arguments of the malware strains Kimsuky distributed between December 2023 and April 2024.
| cmd.exe /c regsvr32.exe /s /n /i:(Random string)* |
| Date | Execution Argument (/i) | Malware Type |
|---|---|---|
| Dec. 2023 | 1qa2ws4rf | AppleSeed |
| Dec. 2023 – Jan. 2024 | 12qw3ed | AppleSeed |
| Dec. 2023 – Jan. 2024 | 1qaz2wsx5tgb | AppleSeed |
| Jan. 2024 | syrsd* | HappyDoor |
| Feb. 2024 | s* | HappyDoor |
| Feb. 2024 | zsecq231 | AppleSeed |
| Feb. 2024 – Mar. 2024 | 1qa2wszxc | AppleSeed |
| Apr. 2024 | qazse123 | AppleSeed |
Given the list, HappyDoor can be distinguished from other backdoors simply by checking the execution arguments. Recently, there have been cases in which HappyDoor was installed as the first backdoor. The following is an AhnLab TIP forensics report regarding the cases of HappyDoor that recently surfaced in 2024.
2. Changes to HappyDoor
Since its first collection in 2021, HappyDoor has been appearing up to recent times (2024). The following lists the malware in the order of versions.
| Number | File MD5 | Version Information | install Argument | C2 |
|---|---|---|---|---|
| 1 | d9b15979e76dd5d18c31e62ab9ff7dae | X (N/A, first collected in Jul. 2021) | X | hxxp://app.seoul.minia[.]ml/kinsa.php |
| 2 | 63ded●●●●●●●●●●● | 3.1 – Nov. 30, 2021 | X | hxxp://z.la●●●●.r-e[.]kr/kisa.php |
| 3 | 4ef5e3ce535f84f975a8212f5630bfe8 | 4.1 – May 16, 2023 | install* | hxxp://users.nya[.]pub/index.php |
| 4 | bd445●●●●●●●●●●● | 4.1 – May 30, 2023 | aooa* | hxxp://ocem.p●●●●[.]biz/index.php hxxp://uo.z●●●●.o-r[.]kr/index.php |
| 5 | a1c59fec34fec1156e7db27ec16121a7 | 4.1 – Jul. 6, 2023 | aooa* | hxxp://go.ktspace.p-e[.]kr/index.php hxxp://on.ktspace.p-e[.]kr/index.php |
| 6 | 2ce95●●●●●●●●●●● | 4.1 – Aug. 23, 2023 | aooa* | hxxp://on.sc●●●●.p-e[.]kr/index.php hxxp://go.sc●●●●.p-e[.]kr/index.php |
| 7 | c7b82b4bafb677bf0f4397b0b88ccfa2 | happy 4.2 Sep. 11, 2023 | aooa* | hxxp://aa.olixa.p-e[.]kr/index.php hxxp://uo.zosua.o-r[.]kr/index.php |
| 8 | 71364●●●●●●●●●●● | happy 4.2 Dec. 20, 2023 | syrsd* | hxxp://m●●●●.syrsd[.]p-e.kr/index.php hxxp://ba●●●●.syrsd.p-e[.]kr/index.php |
| 9 | 0054bdfe4cac0cb7a717749f8c08f5f3 | happy 4.2 Jan. 12, 2024 | syrsd* | hxxp://jp.hyyeo.p-e[.]kr/index.php hxxp://ai.hyyeo.p-e[.]kr/index.php |
| 10 | 8931b●●●●●●●●●●● | happy 4.2 Feb. 1, 2024 | s* | hxxp://ai.namu●●●●.p-e[.]kr/index.php |
The dates of the version information in the table above hint that the threat actor has been distributing the malware for quite some time. Additionally, the latest samples (8 – 10) collected from December 2023 to February 2024 show that the threat actor patched the malware at least once every month. The samples’ version information is hard-coded in the codes as shown below:
Additionally, the latest HappyDoor samples all have an execution argument (/i), but the first sample did not have one. It appears that the threat actor started adding codes that utilize the execution argument in version 4.1 (sample no.3), which was distributed in 2023. HappyDoor’s behaviors differ based on this execution code. The “install*” string used in the installation was only in sample no.3, and in later versions, the argument was distributed after being converted into a random string. As such, HappyDoor first gives “install*” as the argument upon infection to execute, and once complete, it gives “init*”. It then inserts “run*,” as the argument that performs the actual malicious activities before executing it.
| install*(random string) -> init* -> run* |
Detailed Analysis
1. Summary
HappyDoor’s flow can be summarized as the following:
HappyDoor runs via regsvr32.exe because it is ultimately a DLL. Once launched, it removes the command line of the process (regsvr32), checks the execution argument (/i) of regsvr32, and executes in the following order:
| Execution Argument | Details |
|---|---|
| install* | 1. Add to scheduler (“IntelDiskVolume0”) 2. Self-duplicate into a path and self-delete the original file 3. Rerun with init* |
| init* | 1. Self-copy (.otp) and rerun with run* |
| run* | 1. Configure malware settings (packet data + behavior information data) 2. Configure registry – Notepad: RSA key, data related to malicious behaviors – FTP: C&C address, packet authentication data (USER ID) 3. Send system information (osi) and sample configuration information (gcfg) 4. Create a thread in charge of malicious behavior (information theft / backdoor / data (klog,cmd) leak) |
There are largely three categories of execution arguments that execute in the order laid out above. The first argument (install*) is for self-duplication and scheduler (schtasks) registration. The paths for self-duplication and the scheduler command are as follows:
| Before) – %APPDATA%microsoftinternet explorerlocaldataie.cfg – %APPDATA%microsoftinternet explorerlocaldataie.cfg.otp Now) – %APPDATA%microsoftinternet explorerlocaldataimx.cfg – %APPDATA%microsoftinternet explorerlocaldataimx.cfg.otp |
| schtasks /create /f /tn “IntelDiskVolume0” /tr “C:Windowssystem32regsvr32.exe /s /n /i:init* ‘C:UsershanAppDataRoamingMicrosoftInternet ExplorerLocalData imx.cfg” /sc minute /mo 5 |
“run*” performs key malicious activities such as stealing information and taking the role of the backdoor. The malware performs a total of six major infostealing activities, each with the corresponding string: screenshot (capturing screenshots), keylogger (keylogging), filemon (leaking files), alarm (taking information of the connected devices), micrec (voice recording), and mtpmon (leaking files inside Android). Furthermore, HappyDoor uses RSA and RC4 keys to encrypt the data and steal it when leaking information. Once the task is done, the malware then performs its backdoor activities. To note, the communication function that attempts to communicate with the C&C server consists of a virtual function table (vtable).
2. Characteristics
2.1. Registry Data
HappyDoor configures the data encoded in two normal registry paths. The registry paths and the features are as follows:
A. NOTEPAD
| Path: HKEY_CURRENT_USERSOFTWAREMicrosoftNotepad Value: IfChar Summary: RSA key (public key, private key), ON/OFF switch related to infostealing and backdoor, infostealing function addresses and names Data size: 0x17E0 or 0x17D8 (varies by version) |
The IfChar data structure is as follows:
| Data | Description |
|---|---|
| Backdoor Packet Encryption ON/OFF | The flag value that decides whether or not to receive backdoor commands as encrypted packets (ON/OFF). It is set to 1 (ON) by default and performs decryption using an RSA private key or an RC4 key. |
| interval_cmd, interval_ssht, ssht_width, ssht_height | The interval of information collection and the resolution of screenshots (ssht) leaked by the info-leaking features (cmd and ssht). |
| .. You can check more information in AhnLab TIP. |
B. FTP
| Path: HKEY_CURRENT_USERSoftwareMicrosoftFTP Value: Use Https Summary: USER ID value (packet authentication data), C&C address Data size: Varies based on the number of C&Cs (estimated to be at least 0x320) |
The data structure of “Use Https” is as follows:
“Use Https” is data that includes packets and C2s. The details are as follows:
| Data | Description |
|---|---|
| USER ID | 8An 8-byte data. There is a total of 16 bytes (two pieces of data). This value is random and can be changed upon a relaunch. In communication, it is sent to the C2 server and used in packet authentication. |
| C2(C&C) Address | The threat actor’s C2 server that will be used for information leakage and backdoor. The amount is different in each sample. |
2.2. Packet Data
HappyDoor has been using HTTP to communicate with the C&C (Command and Control) server for quite a while.
The figure above is a packet identified in 2022, with the data encoded in XOR and Base64. The XOR encoding used in this packet is identical to the encryption method in “2.1. Registry”.
| – Key: DD 33 99 CC (fixed) // Same as “2.1. Registry Data” method – Data: Packet data – Expression: key[i%4] ^ data[i] ^ data[i-1] // (but data[-1]=0x0) |
Upon decoding the data sent to the threat actor’s server from the packet above as an example, the following structure is shown:
The packet displays the info-leaking features (alarm, keylogger, and screenshot) that are currently running. The packet’s structure will be explained in more detail in the next section: “Packet Structure and Server Operation Method”.
2.3. Packet Structure and Server Operation Method
2.3.1. Operation Method
(The team arrived at the following result only through analysis because the server could not be accessed at the time of the analysis. As such, some details may differ from the actual server response.)
According to the analysis results, HappyDoor uses the HTTP protocol to perform the following communication:
Given the information, the packets can be divided into three types according to their behavior, and each behavior can be summarized as the following:
| Authenticating Server Communication (Packet Type: 1) 1) Sends “init” to the server and receives “OK”. Attempting Information Leak (Packet Type: 4) 2) Sends Trans Status: 0x1 to notify the server that data will be sent. 3) Sends data up to the maximum data size (0x100000) depending on the file size. If the data is bigger than the maximum size, increases Data Ord Number by 1 in order, splits the data, and sends it. 4) The data’s end signals the server that the transfer is complete via Data Ord Number: 0x100000000, and checks the value for response completion (Trans Status: 0x3). 5) Sets to File Info: 0x5 to send the file name of the transferred data, adds the file name behind the “cloud;;” string, and sends it. Backdoor Communication (Packet Type: 6) 6) Exchanges CMD ID (0x3E8) with the server. 7) Sends the CMD ID (command number) and command data to the backdoor. 8) Performs the backdoor command fitting the CMD ID and sends a response. |
2.3.2. Packet Structure
HappyDoor’s packets are structured to have the size of 0x40 by default and check for their validity via five pieces of verification data whenever they receive a response from the server. The “packet types” explained above can also be found in the structure below.
The structure is listed and described in the table below:
| Size (Byte) | Data Name | Description |
|---|---|---|
| 4 | Random | Random 4 bytes. |
| 12 | Verification 1 ~ 3 (Version) |
Presumed to be the malware’s version (used in the authentication process). |
| 8 | Verification 4(USER ID) | The USER ID value of the FTP registry structure. Randomly generated while running (used in the authentication process). |
| 4 | Verification 5(Signature) | The signature value “0x84DE5360” used by HappyDoor’s packets (used during the authentication process). |
| 4 | Packet Type | 1: Checks the connection 4: Transfers data 6: Performs backdoor activities |
| 4 | File Info | When Packet Type is 4, sets it to 5 when sending the name of the transferred data file. |
| 4 | CMD ID | The backdoor command ID when Packet Type is 6. (Unique ID as shown below when Packet Type is 4). |
| .. You can check more information in AhnLab TIP. |
As such, the code that verifies the response packets received from the server like in the table above is shown in the figure below. Note that it checks Verification 1 to 5.
3. Features
3.1. Information Theft
The malware is equipped with six different types of infostealing features, and the execution is decided by each “Infosteal ON/OFF” value of the Notepad (IfChar). (1: ON, 0: OFF)
Thus, an infostealing feature set to “1” (ON) operates via multithreading, and if each thread has information to steal, a temporary folder is created in the %TEMP% folder and the information is entered.
– Temporary file: %TEMP%{random_4 characters}.tmp
Afterward, the RSA public key and the randomly generated RC4 key are used to encrypt the leaked information, and the encrypted information is saved in a specific path shown below. The data is then leaked to the C2 server and deleted. The file names and the path where the leaked data is saved are as follows:
| [Encrypted Data] – Path for saving: %AllUsersProfile%GoogleInternet ExplorerLocalDataUser Data – Data file name: {feature name}@year month day{hour minute second-mili}.ute1 |
To this folder, six key pieces of leaked data are saved along with data such as the operating system information (osi), the response value of certain backdoor commands, and the information of currently running malware (gcfg), which is then sent to the C2 server. Hence, the features that save the information to this path can be organized into the following list:
| Type | File Name | Feature (or Summary) |
Description |
| Information Theft | ssht | screenshot | Takes screenshots |
| klog | keylogger | Keylogging information | |
| fmon | filemon | Collects files that match the following conditions: – Specific paths: “Desktop”, “Document”, “Download”, “AppDataLocalMicrosoftWindowsINetCacheIE” – Specific extensions: .hwp .pdf .doc .xls .ppt .egg .jp* – Time: Date modified is within 15 days – File size: 50 MB or smaller |
|
| ausb | alarm | Collects file names and paths related to the connected portable devices | |
| amtp | (Same as above) | Names of connected portable devices, and more | |
| mrec | micrec | Activates voice recording and records voices | |
| mmtp | mtpmon | Collects files with the following extensions from the connected Android devices: – Extensions: .jpg .jpeg .png .bmp .hwp .doc .ppt .xls .pdf .txt |
|
| Others | osi | OS Information | Collects the OS version and architecture |
| gcfg | Get Config | HappyDoor info (version, C2 address, USER ID, etc.) | |
| Backdoor | ccmd | CMD result | Execution results of command prompts, *.ps1, and *.bat |
| mcfg | Method Config | Base64 strings showing info-leaking feature status (ON/OFF) | |
| fup | File Upload | Collects compressed files (.Z .zip .zoo .arc .lzh .arj .gz .tgz) |
3.1.1. Six Key Features
SCREENSHOT(SSHT)
Captures the current screen and saves it as a JPG file.
KEYLOGGER(KLOG)
Saves the current time in addition to the processes and key information entered by the user. This information is saved in the following format:
FILEMON(FMON)
This feature collects files that meet certain conditions from the paths below and saves them as a compressed file. After collecting files and transferring them (filename + date modified), the MD5-converted value (16 bytes) is saved to the path below. For every file transfer, the content of the “ocl.dat” file is checked so that the same file is not sent again. However, as the date modified is included, modified files are sent)
| – Paths for collecting files: “%UserProfile%Desktop”, “%UserProfile%Document”, “%UserProfile%Download”, “%UserProfile%AppDataLocalMicrosoftWindowsINetCacheIE”– Conditions for collection: (hwp, pdf, doc, xls, ppt, egg, jp*), time (Date modified is within 15 days), file size (50 MB or smaller) – Path for result file: %SystemDrive%ProgramDataocl.dat |
ALARM(AUSB, AMTP)
This feature collects data such as files, paths, and names of connected portable disks or devices and saves the data as “ausb” or “amtp”. SetupAPI or COM object (IID_IPortableDevice, etc.) is used to collect and save information from portable disks as shown below:
MICREC(MREC)
This is a feature that allows access to microphones and records voices.
If a microphone is connected, the voices are recorded and saved to the %temp% folder.
| – Recording file: %temp%{Year-Month-Day_Hour-Minute-Second}.wav |
The file is then encrypted and leaked as the filename “mrec”.
MTPMON(MMTP)
“mtpmon” is a feature that collects certain files from “Android” portable devices via Media Transfer Protocol (MTP). Like the filemon (fmon) feature, after collecting files and transferring them (filename + date modified), the MD5-converted value (16 bytes) is saved to the path below. For every file transfer, the content of the “mci.dat” file is checked so that the same file is not sent again. However, as the date modified is included, modified files are sent)
| – Collected extensions: .jpg .jpeg .png .bmp .hwp .doc .ppt .xls .pdf .txt – Path for result file: %SystemDrive%ProgramDatamci.dat |
3.1.2. Others
Executed before proceeding with the backdoor features, this is a feature for collecting PC (osi) and malware (gcfg) information and sending it to the C2 server. The “osi” file collects information such as the OS version, architecture, and the service pack version; the “gcfg” file is a feature for sending the HappyDoor information, meaning that it sends data configured in the registry such as UserID, C2 server, and transfer interval of certain data.
3.2. Backdoor
When receiving backdoor commands from the threat actor, HappyDoor usually operates via encrypted packets. The action’s encryption is decided by the Notepad registry‘s “Backdoor Packet Encryption ON/OFF” value, and because it is set to “1” (ON) by default, changing it to “0” (OFF) allows HappyDoor to receive backdoor commands using unencrypted packets. Upon receiving a packet from the threat actor’s server, HappyDoor performs the backdoor feature that corresponds to the “CMD ID” number of the packet.
Commands
HappyDoor’s backdoor commands are as follows:
| CMD ID | Feature | Details | |
| 1002 | Terminate | Terminates the backdoor | |
| 1003 | Sleep | The main thread sleeps for a set time (argument) | |
| 1004 | Restart | Restarts the backdoor | |
| 1005 | Update | Loads a new DLL file (argument) and terminates the old backdoor | |
| 1101 | Run Command Line | Runs the data received as an argument with the command prompt | ccmd |
| 1102 | Run with BAT | Creates a BAT file and runs the data received as an argument | ccmd |
| 1103 | Run with PowerShell | Creates a PS1 file and runs the data received as an argument | ccmd |
| 1104 | Run DLL | Uses regsvr32 to run the DLL file and deletes it | |
| 1105 | Run Memory | Loads the portable executable (PE) file in the memory and runs it | |
| 1111 | Collect Information | Collect OS information (osi), default configuration value (gcfg), and global variable configuration value | osi gcfg |
| 1112 | Settings related to global variables | interval_cmd: Gives backdoor commands interval_ssht: Screenshot transmission interval ssht_height / ssht_width: Screenshot size |
|
| 1121 | Change Notepad Registry | Changes HKCUSoftwareMicrosoftNotepad and prints the activation status (mcfg) of all information-leaking features | mcfg |
| 1122 | Transfer Activated Features | Prints the activation status (mcfg) of all information-leaking features | mcfg |
| 1131 | Upload File | Collects files with certain extensions (z, zip, zoo, arc, lzh, arj, gz, tgz) | fup |
| 1132 | Download File | Creates a file the threat actor desires in the infected PC C:ProgramData{random_4 characters} (created with .tmp extension) (The file name of the old version: down.db) |
|
| 1200 | Perform Encrypted Backdoor | Decrypts the data received as an argument using the RSA private key and performs the backdoor corresponding to the CMD ID |
Most of the arguments used in the commands above are created in temporary files ({temp_4 characters}.tmp) in the %TEMP% directory, and for features that require responding to command results, the encrypted data is saved into an existing leakage directory (User Data) and leaked with the result file names above. An example of a backdoor command is as follows:
| [Example Command] Command ID (CMD ID): 1101, Argument: ‘whoami’ – Path for saving: %AllUsersProfile%GoogleInternet ExplorerLocalDataUser Data – Data file name: ccmd@240319(20.29.05-407).ute1 |
Conclusion
While monitoring threat groups that are known to be sponsored by North Korea, ASEC recently identified an attack case presumed to be the Kimsuky group’s doing. Mainly taking on the disguise of a professor or an academic institution, the threat actor has been using social engineering techniques like spear phishing to distribute emails with attachments that, once run, install a backdoor and may also install additional malware.
The threat actor uses the additionally installed malware strains and proxy tools, such as Ngrok, to establish a proxy network environment and may install more programs like VNC malware strains, Chrome Remote Desktop, or RDP Wrapper to ameliorate its underwhelming remote control features. AhnLab also found various records of the threat actor installing diverse malware strains to escalate privilege and steal account information. Because of this, the users targeted by the Kimsuky group’s attacks are at the risk of having various information stolen from their infected environments, and there have been actual cases where the threat actor stole the users’ certificates.
Users must be particularly cautious against attachments in emails from unknown sources and executable files downloaded from web pages. Security administrators in companies must enhance monitoring for software in use and apply patches for any security vulnerabilities in the programs. Users should also apply the latest patch for OS and programs such as internet browsers, and update V3 to the latest version to prevent malware infection in advance.
File Detection
- Backdoor/Win.Iedoor.R605020 (2023.09.12.03)
- Backdoor/Win.Utdoor.C5583075 (2024.02.03.00)
- Backdoor/Win.Iedoor.R605020 (2023.09.12.03)
- Trojan/Win.SysStealer.R436785 (2021.08.14.00)
- Backdoor/Win.Akdoor.R493994 (2022.05.24.01)
IoCs
MD5s
- d9b15979e76dd5d18c31e62ab9ff7dae
- 4ef5e3ce535f84f975a8212f5630bfe8
- a1c59fec34fec1156e7db27ec16121a7
- c7b82b4bafb677bf0f4397b0b88ccfa2
- 0054bdfe4cac0cb7a717749f8c08f5f3
C&C Server Addresses
- hxxp://app.seoul.minia[.]ml/kinsa.php
- hxxp://users.nya[.]pub/index.php
- hxxp://go.ktspace.p-e[.]kr/index.php
- hxxp://on.ktspace.p-e[.]kr/index.php
- hxxp://aa.olixa.p-e[.]kr/index.php
- hxxp://uo.zosua.o-r[.]kr/index.php
- hxxp://jp.hyyeo.p-e[.]kr/index.php
- hxxp://ai.hyyeo.p-e[.]kr/index.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Kimsuky Group’s New Backdoor Appears (HappyDoor) appeared first on ASEC BLOG.