North Korean hackers are at it again, and this time they're getting creative with their disguises! A new backdoor, dubbed HttpTroy, has been discovered in a targeted cyberattack on South Korea, masquerading as a VPN invoice.
But here's where it gets intriguing: The threat actor, Kimsuky, has a history of targeting South Korean entities and is believed to be linked to North Korea. This time, they've unleashed a previously unseen backdoor, adding another weapon to their arsenal. The attack, likely a spear-phishing campaign, aimed at a single victim in South Korea, and the malicious ZIP file was disguised as a VPN invoice, a clever tactic to trick unsuspecting users.
The ZIP file contained a SCR file, which, when opened, initiated a chain of events. It executed a Golang binary with three embedded files, one of which was a decoy PDF to keep the victim in the dark. Simultaneously, a loader named MemLoad was launched, ensuring the malware's persistence on the host by creating a scheduled task impersonating a South Korean cybersecurity firm, AhnLab. This allowed the attackers to execute the HttpTroy backdoor, gaining full control over the infected system.
And this is where it gets technical: HttpTroy employs advanced obfuscation techniques, making analysis a real challenge. It uses custom hashing for API calls and XOR operations with SIMD instructions to obfuscate strings, all while dynamically reconstructing API hashes and strings at runtime. This complexity makes it difficult for security researchers to analyze and detect the malware.
The discovery of HttpTroy coincides with another significant finding. The Lazarus Group, also linked to North Korea, was found to have deployed Comebacker and an upgraded version of BLINDINGCAN, a remote access trojan. This attack targeted two victims in Canada and was detected mid-operation. While the initial access vector remains unknown, it's believed to be a phishing email, as no security vulnerabilities were exploited.
Comebacker, in both DLL and EXE forms, was executed using different methods, but the ultimate goal was consistent: to decrypt and deploy BLINDINGCAN as a service. BLINDINGCAN's capabilities are extensive, allowing it to connect to a remote server and perform various malicious activities, including file manipulation, data collection, and system control.
Kimsuky and Lazarus are not resting on their laurels; they're actively enhancing their hacking tools. These campaigns showcase a sophisticated, multi-stage infection process, utilizing obfuscated payloads and stealthy persistence techniques. Custom encryption, dynamic API resolution, and COM-based task registration all contribute to their evolving tactics.
Controversial Interpretation: Some might argue that these attacks highlight the growing sophistication of state-sponsored hacking groups, while others may see it as a wake-up call for the cybersecurity community to step up their defenses. What's your take on this? Are we witnessing a new era of cyber warfare, or is it a temporary surge in hacking activity? Share your thoughts in the comments!
