Full Report
PebbleDash is a backdoor malware that was previously identified by the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. as a backdoor malware of Lazarus (Hidden Corba) in 2020. At the time, it was known as the malware of the Lazarus group, but recently, there have been more cases of the PebbleDash malware being […]
Analysis Summary
# Threat Actor: Kimsuky (Associated with PebbleDash)
## Attribution & Identity
Previously associated with Lazarus (Hidden Cobra) in 2020 regarding the PebbleDash malware. More recent activity indicates primary distribution by the **Kimsuky** threat group.
## Activity Summary
Kimsuky is actively distributing the **PebbleDash** backdoor, moving away from past reliance on open-source RDP Wrapper tools. Attacks currently involve spear-phishing individuals, using LNK files to execute malicious JavaScript, which then initiates PowerShell commands for persistence and C2 communication. The group installs multiple secondary tools alongside PebbleDash, including AsyncRAT, UAC bypass malware, and exploits to modify system files for persistent remote access.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing targeting specific individuals, utilizing LNK files to execute initial payloads.
- **Execution:** Execution chained through LNK $\rightarrow$ JavaScript $\rightarrow$ PowerShell.
- **Persistence:** Registering scheduled tasks and modifying registry keys for auto-execution.
- **Defense Evasion / Privilege Escalation:** Utilizing UACMe (specifically the "AppInfo ALPC" technique) for privilege escalation; using `takeown.exe` to change ownership of `termsrv.dll` for replacement.
- **Persistence / Remote Access Modification:** Directly patching `termsrv.dll` to disable RDP license authentication (`CDefPolicy::Query` function patched), allowing passwordless RDP connections.
- **Command and Control (C2):** Socket communications established with both Dropbox and proprietary TCP socket-based C&C servers.
- **Data Exfiltration:** Use of the **ForceCopy** utility identified alongside other malware.
## Targeting
- **Sectors:** Individuals (as the primary target vector mentioned).
- **Geography:** Not explicitly detailed beyond the context of CISA/U.S. identification, but Kimsuky typically targets South Korean entities, journalists, and think tanks.
- **Victims:** Specific individual targets mentioned via the spear-phishing methodology.
## Tools & Infrastructure
- **Malware Families Used:**
- **PebbleDash** (Backdoor, recently executed via creating `advconf2.dll` and registering it as a service).
- **AsyncRAT** (Used for controlling infected PCs).
- Custom UAC Bypass Malware (Utilizing UACMe's "AppInfo ALPC" technique).
- **Infrastructure:**
- Dropbox (Used for staging and C2 communication).
- TCP Socket-based C&C Servers.
- **Modified Artifacts:**
- Manually modified/patched **termsrv.dll** to bypass RDP authentication.
## Implications
Kimsuky is demonstrating evolving tactics by directly patching critical system binaries (`termsrv.dll`) instead of relying on external wrappers for RDP access. This shift suggests an effort to maintain persistent, potentially stealthier remote access, bypassing reliance on potentially public or easily detectable wrapper software.
## Mitigations
- Increased scrutiny of spear-phishing attempts, especially those delivering LNK files to individuals.
- Ensure security products are kept up to date to thwart known initial access techniques.
- Monitor for unusual modifications to system DLLs, specifically `termsrv.dll` in the Windows system directory.
- Investigate suspicious scheduled tasks and abnormal service registrations, particularly those that execute dynamically created DLLs (e.g., the recently created `advconf2.dll`).
- Audit RDP configurations and monitor for unauthorized changes to the `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters` registry key.