Kimsuky Unleashes Multi-Stage Malicious LNK Files to Deploy Python-Based Backdoor
In a sophisticated cyber-espionage campaign, Kimsuky, a state-sponsored hacking group from North Korea, has adapted its tactics by utilizing multi-stage malicious LNK files to deploy a Python-based backdoor on compromised systems. This evolution introduces new intermediate scripts while maintaining a core structure for the final payload logic, marking a notable shift in their approach to evade detection and sustain persistence on infected machines.
One of the key methodologies employed in this campaign is the exploitation of Windows Task Scheduler, alongside cloud services like Dropbox, and bundled Python runtimes. These tools work in concert to ensure that malicious actions remain undetected, allowing attackers to manipulate the system over extended periods without attracting attention.
At the heart of this scheme lies a ZIP file that contains essential components: a Python script labeled "can.py," a standalone Python interpreter, and an XML Task Scheduler file named "sch.db." This combination is engineered to automate a task titled "Microsoft_Upgrade{10-9903-09-821392134}," which is responsible for executing the Python script and ultimately fetching and running the final backdoor.
In recent modifications, Kimsuky retains its initial attack vector of LNK to PowerShell execution but has substituted the previously simple BAT file intermediary with a more intricate series of scripts that includes XML, VBS, and PS1 files, culminating in a BAT file. This redesign effectively disperses execution responsibilities across multiple scripts, significantly complicating static detection methods and behavior correlation while keeping the delivery mechanism for the final Python backdoor intact.
Reports from ASEC detail that previous iterations of Kimsuky’s LNK chains maintained a straightforward execution sequence: LNK → PowerShell → BAT. In this newer strategy, the group introduces several layers of complexity, tailoring the method to better obscure their activities and enhance operational security.
Recent lure filenames generated by Kimsuky, such as “Resume (Sungmin Park).hwp.lnk” and “Guide to Establishing Data Backup and Recovery Procedures (Reference).lnk,” not only execute embedded PowerShell commands but also create a concealed folder at C:\windirr with hidden and system attributes. This technique ensures that subsequent malicious artifacts remain hidden from casual observation, thereby improving the stealthiness of the operation.
Once triggered, the initial LNK payload drops a decoy HWP document allied with three vital components: "sch_ha.db" (which is another XML for Task Scheduler), "11.vbs," and "pp.ps1." The XML task "GoogleUpdateTaskMachineCGI__{56C6A980-91A1-4DB2-9812-5158E7E97388}" is engineered to execute the "11.vbs" script every 17 minutes, starting at a fixed timestamp, allowing for quiet and scheduled execution of malicious activities.
Upon execution, "11.vbs" pulls in host-specific data—including domain names, usernames, running processes, operating system versions, public IP addresses, and antivirus details—and records this in a temporary file named "tmp.ini." Furthermore, the script utilizes Dropbox as both a command-and-control channel and an exfiltration method, uploading sensitive data in a structured filename format. The attacker also retrieves additional script packages that facilitate further malicious activities.
The downloaded "hh.bat" file goes a step further, merging ZIP fragments from an external source and extracting them to the C:\winii directory, containing yet another XML Task Scheduler file ("norton.db") and the pivotal backdoor coded as "beauty.py." A new scheduled task titled "GoogleExtension{02-2032121-098}" is then registered to consistently execute "beauty.py," thereby granting Kimsuky ongoing access through a resilient Python-based mechanism.
ASEC notes that the campaign incorporates two distinct types of Python payloads: a downloader for fetching and executing additional scripts, and a more comprehensive backdoor capable of extensive system manipulation. Once successfully infiltrated, the backdoor signals its activation by transmitting packets containing the string “HAPPY” to its designated command-and-control server. Subsequently, it operates through a customized protocol, performing a range of actions such as file enumeration, command execution, and secure file deletion.
Notably, observed activities post-infection involve querying system information, managing processes, and conducting environment mapping, which reflects Kimsuky’s continued evolution of tactics.
Overall, Kimsuky’s latest campaign reinforces the ongoing threat posed by sophisticated cyber-espionage groups. Their incremental advancements, such as the shift from simple execution pathways to more fragmented methods, underscore the necessity for heightened vigilance and proactive monitoring by cybersecurity defenders. This includes scrutinizing Task Scheduler XML imports, watching for suspicious file locations, managing Dropbox-related traffic on endpoints, and identifying any bundled Python interpreters found in user spaces.
Defenders must remain alert to these evolving tactics to effectively mitigate potential threats and safeguard sensitive information against such persistent and adaptive strategies employed by adversarial groups like Kimsuky.