New North-Korean based backdoor packs a punch
Contents
New North Korean based
backdoor packs a punch
by Bart Blaze & Nguyen Nguyen
2024-06-19
Contents
Introduction....................................................................................................................... 3
Stage 1: Backdoor dropper...............................................................................................5
Stage 2: The backdoor..................................................................................................... 9
Obfuscations..............................................................................................................11
Method #1: Load encrypted string in the stack.....................................................11
Method #2: Load encrypted string from the rdata section....................................12
Method #3: Static Bytes Reorder......................................................................... 13
API Call methods................................................................................................. 14
Persistence.......................................................................................................... 15
Command & Control............................................................................................ 16
Commands & Capabilities....................................................................................18
Hunting for similar campaigns................................................................................... 21
Similar Backdoor with different obfuscation......................................................... 22
Lockheed Martin Job Description Campaign....................................................... 25
Newly Developed Backdoors............................................................................... 28
Conclusion...................................................................................................................... 36
Detection.........................................................................................................................38
Indicators of Compromise (IOCs).............................................................................. 38
Yara Rules................................................................................................................. 41
Detection Opportunities.............................................................................................44
MITRE ATT&CK........................................................................................................ 45
North Korean based backdoor packs a punch
2
Introduction
In recent months, North Korean based threat actors have been ramping up attack
campaigns in order to achieve a myriad of their objectives, whether it be financial gain
or with espionage purposes in mind. The North Korean cluster of attack groups is
peculiar seeing there is quite some overlap with one another, and it is not always
straightforward to attribute a specific campaign to a specific threat actor.
This is no different …
backdoor packs a punch
by Bart Blaze & Nguyen Nguyen
2024-06-19
Contents
Introduction....................................................................................................................... 3
Stage 1: Backdoor dropper...............................................................................................5
Stage 2: The backdoor..................................................................................................... 9
Obfuscations..............................................................................................................11
Method #1: Load encrypted string in the stack.....................................................11
Method #2: Load encrypted string from the rdata section....................................12
Method #3: Static Bytes Reorder......................................................................... 13
API Call methods................................................................................................. 14
Persistence.......................................................................................................... 15
Command & Control............................................................................................ 16
Commands & Capabilities....................................................................................18
Hunting for similar campaigns................................................................................... 21
Similar Backdoor with different obfuscation......................................................... 22
Lockheed Martin Job Description Campaign....................................................... 25
Newly Developed Backdoors............................................................................... 28
Conclusion...................................................................................................................... 36
Detection.........................................................................................................................38
Indicators of Compromise (IOCs).............................................................................. 38
Yara Rules................................................................................................................. 41
Detection Opportunities.............................................................................................44
MITRE ATT&CK........................................................................................................ 45
North Korean based backdoor packs a punch
2
Introduction
In recent months, North Korean based threat actors have been ramping up attack
campaigns in order to achieve a myriad of their objectives, whether it be financial gain
or with espionage purposes in mind. The North Korean cluster of attack groups is
peculiar seeing there is quite some overlap with one another, and it is not always
straightforward to attribute a specific campaign to a specific threat actor.
This is no different …
IoC
000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7
0e42f20eb0aab1a4570b0e96b36ceb88f2c82643
162b24784dd0dd19c2ce08961a9b836b5ff645d1d02da9c18616a0d348467e61
20ea6517f4490dc504756299263a06b1cc8e87e0
24a42a912c6ad98ab3910cb1e031edbdf9ed6f452371d5696006c9cf24319147
27d4ff7439694041ef86233c2b804e1f
3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744
3671eaf95ce83f769ee2bd73f5c1c9e85b34fee1
3775bf222c77eea4683941bd7c51e801f35e07de
3de6024e95b875885b42d19fce2baa18
4f463f3fe541288d16ffd89f81d83d7e9e7e5a5e476850eac48c782a61a26bc0
537806c02659a12c5b21efa51b2322c1
596880007009d7bc21bed99022b02fd22b7d6107
5b3cc9cced1ef0cb0bba5549cc2ac09c49ae10554d2409ea16bc5e118d278c15
5d40a3422b4d5fa9c77eb5c6fd7605c26fa7f0e7
5dd9f817d184115d17da659f59641d0cac65db3d
62840447d4d17f14047d7aa0b0916ed94114741846fbac3743e0b393a0273a9c
67.217.62.219
6951bdbd78deb691b9a12de360f31628
6e5d5a8d06452852f1ccbc9b6dbab3eb
73d2899aade924476e58addf26254c2e
8346d90508b5d41d151b7098c7a3e868
8d948bb863ea38ecb46b7e78d1b1abfa
a637d9836285254831c80fdd407f4dae440ad382a23ca12abae2d721cffe913f
a8ed2e894dd32e31dc7a19b5c27686c5
aa8936431f7bc0fabb0b9efb6ea153f9
b75816a259098d39e5b666a867edf708
c90a00b80670da65da968e0503f41b433888b9d2
c94a5817fcd6a4ea93d47d70b9f2b175923a8b325234a77f127c945ae8649874
cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d
d2b7e3c736a38c56ec3d7d3779fb463a3e472a3a
df3dd9685d47b0b79d81fb049df3e5a5f2e19db6
e86ed825887efef54feff4dec45855f9
e9f134a3f4bc5bec1f71906c37f325808b9da2d9
f58a9905aad4d82a89a787017f1a357309caa01e2da081d76671f3319c66aa74
faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e
fd578bbc1a967a345d09ef09209612b9750fa263
http://67.217.62.219
http://afraid.org
http://attachments.mooo.com
http://download-attachments.mooo.com/down.php?
http://download.uberlingen.com/index.php
http://en.uberlingen.com/index.php
http://imagedownload.ignorelist.com/index.php
http://playboys.chickenkiller.com/index.php
import "pe"
rule NikiCert
{
meta:
description = "Identifies Nexaweb digital certificate used in (likely) Kimsuky
campaign."
author = "@bartblaze, @nsquar3"
date = "2024-06"
tlp = "White"
hash_a =
"cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d"
hash_b =
"000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
condition:
uint16(0) == 0x5A4D and
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].serial ==
"03:15:e1:37:a6:e2:d6:58:f0:7a:f4:54:c6:3a:0a:f2"
)
}
rule NikiGo
{
meta:
description = "Identifies NikiGo, a Go dropper by (likely) Kimsuky."
author = "@bartblaze, @nsquar3"
date = "2024-06"
tlp = "White"
hash =
"000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
strings:
$go = "Go build ID:"
$func1 = "main.ParseCommandLine" ascii wide fullword
$func2 = "main.RunCmd" ascii wide fullword
$func3 = "main.HttpGet" ascii wide fullword
$func4 = "main.SelfDel" ascii wide fullword
$func5 = "main.RandomBytes" ascii wide fullword
$pdb_src = "C:/Users/niki/go/src/niki/auxiliary/engine-binder/main.go" ascii
wide
$pdb_path = "/Users/niki/go/src/niki/auxiliary/engine-binder/" ascii wide
condition:
uint16(0) == 0x5A4D and $go and (
all of ($func*) or
any of ($pdb*)
)
}
rule NikiHTTP
{
meta:
description = "Identifies NikiHTTP, a versatile backdoor by (likely) Kimsuky."
author = "@bartblaze, @nsquar3"
date = "2024-06"
tlp = "White"
hash_a =
"3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744"
hash_b =
"c94a5817fcd6a4ea93d47d70b9f2b175923a8b325234a77f127c945ae8649874"
strings:
$cmd = {4? 8d 0d be 2f 03 00 4? 85 c0 4? 8d 15 8c 2f 03 00}
$str_1 = "%s%sc %s >%s 2>&1" ascii wide
$str_2 = "%s%sc %s 2>%s" ascii wide
$str_3 = "%s:info" ascii wide
//D:\02.data\03.atk-tools\engine\niki\httpSpy\..\bin\httpSpy.pdb
$pdb_full = "\\02.data\\03.atk-tools\\" ascii wide
$pdb_httpspy = "\\bin\\httpSpy.pdb" ascii wide
$code = { 0f 57 c0 4? 89 7? ?? 33 c0 c7 4? ?? 68 00 00 00 0f 11 4? ?? c7 4?
?? 01 00 00 00 66 4? 89 7? 00 0f 11 4? ?? 4? 89 4? ?? 0f 11 4? ?? c7 44 ?? ?? 53 71
80 60 0f 11 4? ?? c7 44 ?? ?? 71 79 7c 5c 0f 11 4? ?? c7 44 ?? ?? 6d 80 74 63 0f 11
4? ?? 88 44 ?? ?? 0f 11 4? ?? 0f 1f 44 00 00 }
condition:
uint16(0) == 0x5A4D and (
$cmd or (2 of ($str_*)) or
any of ($pdb_*) or $code
)
}
0e42f20eb0aab1a4570b0e96b36ceb88f2c82643
162b24784dd0dd19c2ce08961a9b836b5ff645d1d02da9c18616a0d348467e61
20ea6517f4490dc504756299263a06b1cc8e87e0
24a42a912c6ad98ab3910cb1e031edbdf9ed6f452371d5696006c9cf24319147
27d4ff7439694041ef86233c2b804e1f
3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744
3671eaf95ce83f769ee2bd73f5c1c9e85b34fee1
3775bf222c77eea4683941bd7c51e801f35e07de
3de6024e95b875885b42d19fce2baa18
4f463f3fe541288d16ffd89f81d83d7e9e7e5a5e476850eac48c782a61a26bc0
537806c02659a12c5b21efa51b2322c1
596880007009d7bc21bed99022b02fd22b7d6107
5b3cc9cced1ef0cb0bba5549cc2ac09c49ae10554d2409ea16bc5e118d278c15
5d40a3422b4d5fa9c77eb5c6fd7605c26fa7f0e7
5dd9f817d184115d17da659f59641d0cac65db3d
62840447d4d17f14047d7aa0b0916ed94114741846fbac3743e0b393a0273a9c
67.217.62.219
6951bdbd78deb691b9a12de360f31628
6e5d5a8d06452852f1ccbc9b6dbab3eb
73d2899aade924476e58addf26254c2e
8346d90508b5d41d151b7098c7a3e868
8d948bb863ea38ecb46b7e78d1b1abfa
a637d9836285254831c80fdd407f4dae440ad382a23ca12abae2d721cffe913f
a8ed2e894dd32e31dc7a19b5c27686c5
aa8936431f7bc0fabb0b9efb6ea153f9
b75816a259098d39e5b666a867edf708
c90a00b80670da65da968e0503f41b433888b9d2
c94a5817fcd6a4ea93d47d70b9f2b175923a8b325234a77f127c945ae8649874
cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d
d2b7e3c736a38c56ec3d7d3779fb463a3e472a3a
df3dd9685d47b0b79d81fb049df3e5a5f2e19db6
e86ed825887efef54feff4dec45855f9
e9f134a3f4bc5bec1f71906c37f325808b9da2d9
f58a9905aad4d82a89a787017f1a357309caa01e2da081d76671f3319c66aa74
faca8b6f046dad8f0e27a75fa2dc5477d3ccf44adced64481ef1b0dd968b4b0e
fd578bbc1a967a345d09ef09209612b9750fa263
http://67.217.62.219
http://afraid.org
http://attachments.mooo.com
http://download-attachments.mooo.com/down.php?
http://download.uberlingen.com/index.php
http://en.uberlingen.com/index.php
http://imagedownload.ignorelist.com/index.php
http://playboys.chickenkiller.com/index.php
import "pe"
rule NikiCert
{
meta:
description = "Identifies Nexaweb digital certificate used in (likely) Kimsuky
campaign."
author = "@bartblaze, @nsquar3"
date = "2024-06"
tlp = "White"
hash_a =
"cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d"
hash_b =
"000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
condition:
uint16(0) == 0x5A4D and
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].serial ==
"03:15:e1:37:a6:e2:d6:58:f0:7a:f4:54:c6:3a:0a:f2"
)
}
rule NikiGo
{
meta:
description = "Identifies NikiGo, a Go dropper by (likely) Kimsuky."
author = "@bartblaze, @nsquar3"
date = "2024-06"
tlp = "White"
hash =
"000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
strings:
$go = "Go build ID:"
$func1 = "main.ParseCommandLine" ascii wide fullword
$func2 = "main.RunCmd" ascii wide fullword
$func3 = "main.HttpGet" ascii wide fullword
$func4 = "main.SelfDel" ascii wide fullword
$func5 = "main.RandomBytes" ascii wide fullword
$pdb_src = "C:/Users/niki/go/src/niki/auxiliary/engine-binder/main.go" ascii
wide
$pdb_path = "/Users/niki/go/src/niki/auxiliary/engine-binder/" ascii wide
condition:
uint16(0) == 0x5A4D and $go and (
all of ($func*) or
any of ($pdb*)
)
}
rule NikiHTTP
{
meta:
description = "Identifies NikiHTTP, a versatile backdoor by (likely) Kimsuky."
author = "@bartblaze, @nsquar3"
date = "2024-06"
tlp = "White"
hash_a =
"3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744"
hash_b =
"c94a5817fcd6a4ea93d47d70b9f2b175923a8b325234a77f127c945ae8649874"
strings:
$cmd = {4? 8d 0d be 2f 03 00 4? 85 c0 4? 8d 15 8c 2f 03 00}
$str_1 = "%s%sc %s >%s 2>&1" ascii wide
$str_2 = "%s%sc %s 2>%s" ascii wide
$str_3 = "%s:info" ascii wide
//D:\02.data\03.atk-tools\engine\niki\httpSpy\..\bin\httpSpy.pdb
$pdb_full = "\\02.data\\03.atk-tools\\" ascii wide
$pdb_httpspy = "\\bin\\httpSpy.pdb" ascii wide
$code = { 0f 57 c0 4? 89 7? ?? 33 c0 c7 4? ?? 68 00 00 00 0f 11 4? ?? c7 4?
?? 01 00 00 00 66 4? 89 7? 00 0f 11 4? ?? 4? 89 4? ?? 0f 11 4? ?? c7 44 ?? ?? 53 71
80 60 0f 11 4? ?? c7 44 ?? ?? 71 79 7c 5c 0f 11 4? ?? c7 44 ?? ?? 6d 80 74 63 0f 11
4? ?? 88 44 ?? ?? 0f 11 4? ?? 0f 1f 44 00 00 }
condition:
uint16(0) == 0x5A4D and (
$cmd or (2 of ($str_*)) or
any of ($pdb_*) or $code
)
}