North Korea's Kimsuky Doubles Down on Remote Desktop Control

North Korea's Kimsuky advanced persistent threat (APT) continues to evolve its attack methods and grow in sophistication, expanding its ability to control victims' systems with the use of legitimate system remote-desktop tools and novel custom malware in its latest attacks.

The threat group — one of several that work at the behest of North Korean Supreme Leader Kim Jong-Un — recently has been spotted abusing Remote Desktop Protocol (RDP) and other tools that allow it to remotely take over targeted systems, even installing open source software to an environment if RDP is not present, researchers from South Korea's AhnLab revealed in a blog post Oct. 18.

"The Kimsuky threat group is continuously abusing RDP to obtain control over infected systems and exfiltrate information," according to the post by the AhnLab Security Response Center. "RDP can also be used in the initial access process using brute force and dictionary attacks, or during lateral movement."

Kimsuky, active since 2013 to commit cyber espionage on the behalf of Jong-Un's regime, is also evolving tactics beyond this protocol to gain remote control of compromised desktop systems in recent attacks, according to the researchers.

In addition to RDP abuse, the group is wielding the open-source virtual network computing (VNC) tool TightVNC, which is similar to RDP in that it's a screen-sharing system for remote control of other computers. In some cases, the group even tapped Chrome Remote Desktop, which is supported by the Google Chrome browser, to control infected systems, the researchers said.

Malware Mix

Overall, recent attacks show Kimsuky continuing to use spear phishing as its initial method of access to compromise systems with BabyShark, its oft-used custom malware for persistence and the collection of system info, before attackers move on to installing other custom-built and open source malware.

The group also has added new post-compromise malware to its arsenal, leveraging RevClient to send commands from its command-and-control (C2) server to add user accounts to a victim's system, and public malware TinyNuke, a banking Trojan.

As is typical, the ultimate goal after gaining control of systems is to steal internal information and technology from its targets, which are typically research, defense, diplomatic, and academic sectors in South Korea but also other countries that demonstrate a political or strategic interest for the regime.

Multiple-Session RDP

One particularly interesting bit of novel RDP functionality that Kimsuky has been seen wielding recently is the ability to support multiple sessions of RDP on a Windows system — something that Windows desktop OS natively does not allow.

"Ordinarily in Windows desktop environments, only one session is supported when connecting via RDP, unlike servers," according to the post. "As only one session is supported for one system, even if the user accounts are different, when the threat actor remotely connects to a system, the existing user's session is terminated."

In previous attacks, Kimsuky used Mimikatz and other malware to patch the memory of the currently running RDP service process to bypass the single-session limit. However, in recent attacks, the group now is using malware named "multiple.exe" to support multiple-session RDP, as well as to add user accounts for further control.

The novel malware RevClient that the group deploys in recent attacks also has features similar to "multiple.exe" but executes multiple-session capability in a different way, according to the researchers. Kimsuky also is leveraging RevClient to receive commands from C2 to perform user account-related tasks as part of its overall control of a compromised system.

Defending Against RDP Abuse

With lines beginning to blur between Kimsuky and other North Korea-sponsored groups like Lazarus as they organize and align to share tools and tactics, it's important that organizations do what they can to protect themselves against these evolving threats, according to AhnLab.

RDP is an especially sensitive attack surface because it's one of the services that come pre-installed in Windows systems, demanding adequate management to detect or prevent such incidents of compromise.

To do this, users should refrain from opening attachments on suspicious emails or when installing external software and instead only purchase or download them from official websites, the researchers noted. Desktop users also should set complex passwords for their accounts and change them periodically to diminish chances that they can be brute-forced.

Updating to the latest and most secure versions of the Windows OS and employing endpoint security products as well as sandbox-based APT solutions can also help protect systems against cyberattacks.