lazarusholic

Everyday is lazarus.dayβ

Kimsuky Group's New Backdoor Appears (HappyDoor)

2024-07-05, Ahnlab
https://asec.ahnlab.com/en/67660/
#Kimsuky #HappyDoor

Contents

Table of Contents
- Overview
- Distribution Method and Changes
- Detailed Analysis
- Conclusion
This report is a summarized version of “Analysis Report of Kimsuky Group’s HappyDoor Malware” introduced in AhnLab Threat Intelligence Platform (TIP), containing key information for analyzing breaches. The report in AhnLab TIP includes details on encoding & encryption methods, packet structure, and more in addition to the characteristics and features of the malware. In particular, it also provides an IDA plugin and a backdoor test server developed by AhnLab for the convenience of analysts. To note, the masked information is available in AhnLab TIP.
Overview
Kimsuky’s HappyDoor malware is not commonly known to the world. AhnLab first collected its sample in 2021, and continued monitoring revealed that it had been used up to the present day in 2024 in data breaches. Investigation results hint that the threat actor has been patching the malware continuously. As shown in the image below, the version …

IoC

0054bdfe4cac0cb7a717749f8c08f5f3
4ef5e3ce535f84f975a8212f5630bfe8
a1c59fec34fec1156e7db27ec16121a7
c7b82b4bafb677bf0f4397b0b88ccfa2
d9b15979e76dd5d18c31e62ab9ff7dae
http://aa.olixa.p-e.kr/index.php
http://ai.hyyeo.p-e.kr/index.php
http://app.seoul.minia.ml/kinsa.php
http://go.ktspace.p-e.kr/index.php
http://jp.hyyeo.p-e.kr/index.php
http://on.ktspace.p-e.kr/index.php
http://syrsd.p-e.kr/index.php
http://uo.zosua.o-r.kr/index.php
http://users.nya.pub/index.php