The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea.
Gen Digital, which disclosed details of the activity, did not reveal any details on when the incident occurred, but noted that the phishing email contained a ZIP file (“250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip”), which masqueraded as a VPN invoice to distribute malware capable of file transfer, capturing screenshots, and executing arbitrary commands.
“The chain has three steps: a small dropper, a loader called MemLoad, and the final backdoor, named ‘HttpTroy,'” security researcher Alexandru-Cristian Bardaș said.
Present within the ZIP archive is a SCR file of the same name, opening which triggered the execution chain, starting with a Golang binary containing three embedded files, including a decoy PDF document that’s displayed to the victim to avoid raising any suspicion.
Also launched simultaneously in the background is MemLoad, which is responsible for setting up persistence on the host by means of a scheduled task named “AhnlabUpdate,” an attempt to impersonate AhnLab, a South Korean cybersecurity company, and decrypt and execute the DLL backdoor (“HttpTroy”).
The implant allows the attackers to gain complete control over the compromised system, enabling file upload/download, screenshot capture, command execution with elevated privileges, in-memory loading of executables, reverse shell, process termination, and trace removal. It communicates with the command-and-control (C2) server (“load.auraria[.]org”) over HTTP POST requests.
“HttpTroy employs multiple layers of obfuscation to hinder analysis and detection,” Bardaș explained. “API calls are concealed using custom hashing techniques, while strings are obfuscated through a combination of XOR operations and SIMD instructions. Notably, the backdoor avoids reusing API hashes and strings. Instead, it dynamically reconstructs them during runtime using varied combinations of arithmetic and logical operations, further complicating static analysis.”
The findings come as the cybersecurity vendor also detailed a Lazarus Group attack that led to the deployment of Comebacker and an upgraded version of its BLINDINGCAN (aka AIRDRY or ZetaNile) remote access trojan. The attack targeted two victims in Canada and was detected in the “middle of the attack chain,” it added.
While the exact initial access vector used in the attack is not known, it’s assessed to be a phishing email based on the absence of any known security vulnerabilities that could have been exploited to gain a foothold.
Two different variants of Comebacker – one as a DLL and another as an EXE – have been put to use, with the former launched via a Windows service and the latter through “cmd.exe.” Irrespective of the method used to execute…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
