Kimsuky Hackers Employ Commodity RATs with Custom Gold Dragon Backdoor

Researchers in South Korea have discovered a fresh wave of activity from the Kimsuky hacking organization, employing commodity open-source remote access tools distributed with their own backdoor, Gold Dragon. Kimsuky, also known as TA406, is a North Korean state-sponsored hacker group that has been actively engaging in cyber-espionage efforts since 2017. The organization has shown amazing operational adaptability and threat activity diversity, participating in malware distribution, phishing, data harvesting, and even cryptocurrency theft. 

Beginning in January 2021, TA406 began delivering malware payloads through phishing emails that led to 7z archives. These archives contained an EXE file with a double extension that made it appear to be a .HTML file. If the file is opened, it will launch a scheduled activity called “Twitter Alarm,” which will allow the actors to drop new payloads every 15 minutes. When run, the EXE opens a web browser to a PDF version of a valid NK News item housed on the actor’s infrastructure, hoping to fool the victim into thinking they’re reading a post on a news site. 

Kimsuky used xRAT in targeted assaults against South Korean entities in the most recent campaign, as discovered by experts at ASEC (AhnLab). The campaign began on January 24, 2022. xRAT is a free and open-source remote access and administration program that may be downloaded from GitHub. Keylogging, remote shell, file manager operations, reverse HTTPS proxy, AES-128 communication, and automated social engineering are among the functions provided by the malware. 

Kimsuky Hackers Employ Commodity RATs with Custom Gold Dragon Backdoor