Kimsuky Threat Group Exploting Chrome Remote Desktop
2023-07-06 • Ahnlab •
AhnLab ASEC reported that the North Korea-linked Kimsuky group was observed exploiting Chrome Remote Desktop alongside its AppleSeed malware and other remote-control tooling. Recent activity used script-type WSF or JS malware, often disguised as document files, to decode and run AppleSeed with regsvr32 arguments such as 123qweASDZXC before installing follow-on tools including infostealers, RDP Patcher, Ngrok, and Chrome Remote Desktop. AppleSeed supports command execution, additional malware installation, keylogging, screenshots, and file theft, while associated infostealers targeted credentials from Chrome, Microsoft Edge, and Naver Whale. The tradecraft shows Kimsuky combining phishing-delivered scripts, backdoors, credential theft, and remote-access utilities to maintain hands-on control of infected systems.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | d6a38ffdbac241d69674fb142a420740 | 2023-06-28 | 2024-06-11 |
| HASH | 80f381a20d466e7a02ea37592a26b0b8 | 2023-06-28 | 2023-08-16 |
| HASH | b6d11017e02e7d569cfe203eda25f3aa | 2023-06-28 | 2023-08-16 |
| DOMAIN | pikaros2.r-e.kr | 2023-06-28 | 2023-08-16 |
| DOMAIN | getara1.mygamesonline.org | 2023-06-28 | 2023-08-16 |
| URL | http://getara1.mygamesonline.or… | 2023-07-06 | 2023-07-06 |
| HASH | 946e1e0d2e0d7785d2e2bcd3634bcd2a | 2023-06-28 | 2023-07-06 |
| HASH | d2eb306ee0d7dabfe43610e0831bef49 | 2023-06-28 | 2023-07-06 |
| URL | http://pikaros2.r-e.kr/ | 2023-06-28 | 2023-07-06 |