Good day everyone!

The wonderful researchers at AhnLab, Inc. Security Intelligence Center (ASEC) publishes their findings on recent attacks they observed coming from the #Kimsuky group. The APT group delivered malicious .LNK files through spear-phishing attacks and these files contained the company's they were targeting names, which would suggested this was a targeted attack. As the attack progressed, the #PebbleDash backdoor and a custom version of #RDPWrapper (which is a software that enabled remote desktop on systems that may not support Windows Native RDP).

Behavior Summary (With MITRE ATT&CK):
Initial Access:
Phishing: Spearphishing Attachment (T1566.001) - Kimsuky delivered their malicious .LNK files through email.

Execution:
Comand and Scripting Interpreter: Powershell (T1059.001) - When the LNK file is executed, a powershell (or mshta.exe) is executed to download and execute addtional payloads from external sources.

Defense Evasion:
System Binary Proxy Execution: Mshta (T1218.005) - When the LNK file is executed it could lead to mshta executed to download and execute addtional payloads from external sources.

Masquerading: Masquerade File Type (T1036.008) - The .LNK files are disguised as a document file with an Office document icon such as PDF, Excel, or Word.

Collection/Credential Access:
Input Capture: Keylogging (T1056.001)
The APT group used a powershell script to perform keylogging and also installs keyloggers in executable file format.

You know the drill! Go check out the article for a lot more technical details! Enjoy and Happy Hunting!

Persistent Threats from the Kimsuky Group Using RDP Wrapper
https://asec.ahnlab.com/en/86098/

Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday