Kimsuky Threat Group Uses RDP to Control Infected Systems
2023-10-17 • Ahnlab •
AhnLab details Kimsuky activity in which presumed spear phishing led to BabyShark installation and later deployment of RDP-control tooling on compromised Windows systems. The group used scripts and loaders such as hwp.bat, k.ps1, OneNote.vbs, pow.ps1, and desktop.r7u to collect information, log keystrokes, decrypt payloads, and inject code into legitimate processes. Additional payloads included multiple.exe, which changes termsrv.dll, enables multiple RDP sessions, and creates a hidden IIS_USER administrator account. A RevClient component receives C2 commands, can manage user accounts, and forwards attacker traffic to local RDP, with 5.61.59.53:2086 shown as the main C2 endpoint.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | c8d589ac5c872b12e502ec1fc2fee0c7 | 2023-10-16 | 2024-10-01 |
| IPv4 | 5.61.59.53 | 2023-10-16 | 2024-08-22 |
| HASH | be2f73a637258aa872bdf548daf55336 | 2023-10-16 | 2023-10-17 |
| HASH | 7313dc4d9d6228e442fc6ef9ba5a1b9a | 2023-10-16 | 2023-10-17 |
| HASH | 02804d632675b2a3711e19ef217a2877 | 2023-10-16 | 2023-10-17 |
| HASH | 116a71365b83cc38211ccfc8059b363e | 2023-10-16 | 2023-10-17 |
| HASH | ad9a3e893abdac7549a7d66ca32142e8 | 2023-10-16 | 2023-10-17 |
| HASH | 0d6717c3fa713c5f5f5cb0539b94b84f | 2023-10-16 | 2023-10-17 |
| HASH | 2dbe8e89310b42e295bfdf3aad955ba9 | 2023-10-16 | 2023-10-17 |
| HASH | 0d691673af913dc0942e55548f6e2e4e | 2023-10-16 | 2023-10-17 |
| URL | https://onessearth.online/up/up… | 2023-10-16 | 2023-10-17 |
| URL | https://powsecme.co/up/upload_d… | 2023-10-16 | 2023-10-17 |
| DOMAIN | onessearth.online | 2023-10-16 | 2023-10-17 |
| DOMAIN | powsecme.co | 2023-10-16 | 2023-10-17 |