Ddos 
The attack process using the PebbleDash malware by the Kimsuky group | Image: ASEC
A recent report by the AhnLab Security intelligence Center (ASEC) has uncovered the latest tactics employed by the Kimsuky group in distributing the PebbleDash malware. PebbleDash, identified by the Cybersecurity and Infrastructure Security Agency (CISA) as a backdoor malware of Lazarus (Hidden Corba) in 2020, has increasingly been attributed to the Kimsuky group, shifting from targeting individuals rather than the Lazarus group.
The attack begins with a carefully crafted spear-phishing email carrying a disguised shortcut file (e.g., document.pdf.lnk). When executed, the LNK file launches a JavaScript script, which in turn executes PowerShell to perform several key operations:
- Registering scheduled tasks and registry keys for persistence
- Communicating with Dropbox and the C2 server
- Downloading additional malware including PebbleDash and AsyncRAT
“This JavaScript then executes PowerShell to perform tasks such as registering a task scheduler for system persistence, registering registry keys for auto-execution, and performing socket communications with Dropbox and the threat actor’s C&C server,” the report notes.
In recent incidents, the Kimsuky group generated advconf2.dll, the latest version of PebbleDash, using PowerShell. It is then registered as a Windows service using cmd.exe and reg.exe for stealth and persistence.
“After advconf2.dll is created, cmd.exe and reg.exe are used to register and execute advconf2.dll as a service.”
Once installed, PebbleDash provides remote control over infected systems, working alongside other tools like AsyncRAT, and enabling attackers to expand their foothold within compromised networks.
Kimsuky uses the AppInfo ALPC technique from the UACMe toolkit for privilege escalation, gaining high-level access on compromised machines. But the most concerning development is their shift from RDP Wrappers to patching termsrv.dll directly, disabling license checks for Remote Desktop Protocol (RDP) authentication.
“According to the analysis, the function (CDefPolicy::Query) responsible for RDP license authentication was disabled… [so] any user accessing the system is allowed to establish an RDP connection.”
To complete the attack chain, ownership of the system’s termsrv.dll is seized using takeown.exe, and the registry is modified to point to the malicious DLL. This effectively allows unauthorized remote access without authentication barriers.
The report provides key recommendations to defend against these attacks:
- Double Extension Awareness: Users should be cautious of files with double extensions (e.g., “pdf.Ink”) and verify the actual file extension to avoid executing malicious shortcut files.
- termsrv.dll File Verification: The hash value of the “termsrv.dll” file should be calculated and compared to known malicious hash values to detect any tampering. If tampering is detected, the file should be replaced with a clean version using the sfc /scannow command.
- Suspicious Account Detection: Administrators should check for and remove any suspicious accounts, such as those named “Root,” that were not created by authorized personnel.
Related Posts:
- Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report
- North Korean APT Group Kimsuky Targets Japanese Organizations with Stealthy Malware Campaign
- North Korean Cyber Espionage Group Kimsuky Exploits University Website in Watering Hole Attack
- North Korean Hackers Exploit Old Office Flaw to Deploy Keylogger
- Midnight Blizzard Targets 100+ Organizations in RDP Phishing Attack
Donate