Everyday is lazarus.dayβ

Malware Disguised as Installer from Korean Public Institution (Kimsuky Group)

2024-03-26, Ahnlab
#Kimsuky #Endoor #Nikidoor #AsungSoft


AhnLab SEcurity intelligence Center (ASEC) recently discovered the Kimsuky group distributing malware disguised as an installer from a Korean public institution. The malware in question is a dropper that creates the Endoor backdoor, which was also used in the attack covered in the previous post, “TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group)”. [1]
While there are no records of the dropper being used in actual attacks, there was an attack case that involved the backdoor created by the dropper at around the same period as when the dropper was collected. The threat actor used the backdoor to download additional malware or install screenshot-taking malware. Endoor is constantly employed in other attacks as well; in the past, it has been used alongside Nikidoor, which is distributed via spear phishing attacks.
1. Dropper Disguised as Installer from Korean Public Institution
The dropper was disguised as an installer for a certain public …