Kimsuky Uses LNK Files to Deploy Python Backdoor

A North Korean hacking group known as Kimsuky has been identified in a new cyber campaign leveraging malicious Windows shortcut files, or LNK files, to surreptitiously install a Python-based backdoor on targeted computers.

This complex attack unfolds in multiple stages, making it more challenging for security systems to detect the threat before the final payload is activated on the victim’s machine.

Evolution of Kimsuky’s Attack Strategy

Historically, Kimsuky has focused on government bodies, research facilities, and individuals primarily in South Korea and elsewhere. The group is notorious for evolving its methods, with the latest campaign showcasing a significant shift in malware delivery tactics.

The overarching objective remains to deploy a Python backdoor on compromised devices. However, Kimsuky has incorporated additional steps into the attack progression, enhancing obfuscation and control over the infection process.

New Structural Changes in Malware Execution

Researchers from ASEC have observed these recent modifications, indicating a redesigned execution flow for Kimsuky’s LNK files. Previously, the process transitioned from an LNK file directly via PowerShell to a BAT file. The revised approach now involves intermediary stages passing through an XML file, a VBS file, a PS1 script, and finally to a BAT file before reaching its final destination.

This complex chain introduces extra layers between stages, allowing the malware to evade detection effectively. The LNK files are disguised as common documents with innocuous titles like “Resume (Sungmin Park).hwp.lnk,” enticing users to open them without suspicion.

Implications of the Multi-Stage Infection Mechanism

Once executed, the LNK file activates a concealed PowerShell script that sets up a hidden directory at C:windirr, obscured by system and hidden file attributes. This directory is where the attack unfolds, dropping an XML task scheduler file, a VBS script, and a PowerShell script.

The XML file registers a task scheduler with a Google-themed name to execute persistently every 17 minutes. The VBS script then triggers the PowerShell script to gather critical system data and send it to the attackers via Dropbox, cleverly masking malicious activity within typical network traffic.

Subsequently, the PowerShell script downloads a BAT file, which fetches ZIP file fragments from remote servers, merges them, and extracts the final payload: a Python backdoor named beauty.py. This backdoor connects to a command-and-control server, awaiting further instructions.

Preventive Measures and Recommendations

To mitigate such threats, users should be cautious of LNK files received through email or messaging applications, particularly those mimicking ordinary documents. Organizations are advised to continuously monitor Windows Task Scheduler for unusual entries and ensure endpoint security measures are up-to-date.

Blocking unauthorized outbound connections to unfamiliar services can also help prevent successful intrusions. Staying informed about evolving threats and adapting security protocols accordingly remains crucial in defending against sophisticated cyber attacks like those orchestrated by Kimsuky.