A sophisticated cyberattack campaign orchestrated by the notorious North Korean hacking group Kimsuky has been uncovered, employing malicious Windows shortcut files (LNK files) as a covert entry point to deploy a Python-based backdoor. This multi-stage attack showcases Kimsuky’s evolving tactics, aiming to bypass security defenses and gain persistent access to target systems. The group, known for its persistent focus on government agencies and research institutions, particularly in South Korea, has refined its methodology to make detection increasingly challenging.
Researchers at ASEC detailed the intricate attack chain, highlighting a significant departure from Kimsuky’s previous methods. While the ultimate goal remains the same—establishing a foothold with a Python backdoor—the intermediate steps have been expanded and deliberately obfuscated. This strategic layering of execution stages is designed to evade traditional security monitoring and analysis, allowing the malware to progress deeper into a network before its true nature is revealed.
Kimsuky’s Evolving Multi-Stage Attack Mechanism
The latest campaign initiated by Kimsuky demonstrates a clear structural evolution in their attack vectors. Historically, Kimsuky’s LNK files would often lead directly from a PowerShell script to a batch (BAT) file. However, the current iteration introduces a more complex sequence involving an XML file, a Visual Basic Script (VBS), a PowerShell script (PS1), and finally a BAT file, acting as conduits before the final payload is delivered. This extended infection chain creates additional friction for security analysts attempting to trace the execution flow.
The malicious LNK files are cleverly disguised to mimic legitimate documents, employing deceptive names such as “Resume (Sungmin Park).hwp.lnk” and “Guide to Establishing Data Backup and Recovery Procedures (Reference).lnk.” When a user is tricked into opening one of these files, it triggers a hidden PowerShell script. This script then establishes a fortified, concealed folder at the C:windirr directory, marked with hidden and system attributes to obscure it from casual observation and standard file browsing tools.
Following the execution of the LNK file, the victim is presented with a decoy HWP document. This visual distraction is intended to mask the covert malicious activities unfolding in the background, further lowering the chances of immediate suspicion.
The implications of this Kimsuky campaign are significant. Once the Python backdoor is successfully installed, it grants the attackers extensive remote control over the compromised machine. This allows for the execution of shell commands, directory navigation, file manipulation (upload, download, deletion), and the launching of additional programs. Such deep access enables the threat actor to conduct discreet surveillance, exfiltrate sensitive data, and maintain a persistent presence undetected for extended periods.
The infection process itself is meticulously designed for stealth and persistence. After the initial LNK execution, the PowerShell script creates the hidden directory and drops three essential files: an XML file for task scheduling (sch_ha.db), a VBS script (11.vbs), and a PowerShell script (pp.ps1). The XML file is crucial as it registers a scheduled task named “GoogleUpdateTaskMachineCGI,” configured to run every 17 minutes. This ensures the malware maintains its presence and reactivates even after system reboots.
When the VBS script executes, it calls upon the PowerShell script, pp.ps1. This script is responsible for gathering critical system information, including the username, active processes, operating system version, public IP address, and installed antivirus solutions. This sensitive data is then exfiltrated to the attacker’s control via Dropbox, a seemingly legitimate cloud service. The use of such widely recognized services helps the malicious traffic blend in with normal network activity, making it harder to detect through network monitoring alone.
The pp.ps1 script also plays a vital role in fetching the subsequent stages of the attack. It proceeds to download a batch file (hh.bat) from the attacker’s Dropbox account and executes it. This batch file is designed to download two fragmented ZIP archives from remote servers, merge them into a single entity, and then extract the final payload to the C:winii directory. This extracted component is identified as a Python backdoor named beauty.py, which is then registered as a task called “GoogleExtension” and scheduled for execution via an XML scheduler.
The newly installed Python backdoor establishes a connection to a command-and-control (C2) server located at the IP address 45.95.186[.]232 on port 8080. Upon successful connection, it transmits a “HAPPY” packet to confirm its operational status to the C2 server, signaling a successful infection and readiness to receive further instructions. This establishes a direct communication channel for the Kimsuky group to manage and leverage the compromised system.
To mitigate the risks posed by such sophisticated attacks, users are strongly advised to exercise caution when opening LNK files, particularly those received via email or messaging applications, and to be wary of files masquerading as documents. Organizations should implement robust monitoring of Windows Task Scheduler for any suspicious entries, especially those bearing Google-related names, which could indicate a compromise. Furthermore, maintaining updated endpoint security solutions and establishing network policies to block unauthorized outbound connections to unknown or suspicious services are critical measures in reducing the likelihood of a successful Kimsuky intrusion.