The North Korea-aligned advanced persistent threat (APT) group Kimsuky has been discovered using a previously unknown backdoor, codenamed HttpTroy, in a highly targeted spear-phishing campaign. The attack, aimed at a single victim in South Korea, employed a sophisticated multi-stage infection chain disguised as a legitimate VPN invoice.
The Deceptive Lure and Initial Compromise
The attack began with a phishing email containing a ZIP file attachment. The file was cleverly named to mimic a commercial VPN quotation: 250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip.
Within this archive was a screensaver (SCR) file with the same name. When the victim opened this file, it triggered a multi-phase execution chain designed to deploy the final HttpTroy backdoor while displaying a decoy PDF document to maintain the illusion of a legitimate invoice.
The Multi-Stage Infection Chain
The infection process, analyzed by Gen Digital, involved three distinct components working in sequence:
- The Dropper: A small Golang binary that served as the initial payload.
- MemLoad (The Loader): This component established persistence on the infected host by creating a scheduled task named “AhnlabUpdate”—a deceptive attempt to impersonate the reputable South Korean cybersecurity firm AhnLab. Its primary role was to decrypt and execute the final backdoor.
- HttpTroy (The Backdoor): The final payload, a powerful DLL backdoor that grants attackers comprehensive control over the compromised system.
HttpTroy’s Advanced Capabilities and Stealth Techniques
HttpTroy is a feature-rich implant that communicates with its command-and-control (C2) server (load.auraria[.]org) using HTTP POST requests. Its capabilities are extensive, allowing the attackers to:
- Upload and download files.
- Capture screenshots.
- Execute commands with elevated privileges.
- Load other executables directly into memory.
- Initiate a reverse shell.
- Terminate processes and remove its own traces.
To evade detection, HttpTroy employs advanced obfuscation. Security researcher Alexandru-Cristian Bardaș explained, “HttpTroy employs multiple layers of obfuscation to hinder analysis and detection. API calls are concealed using custom hashing techniques, while strings are obfuscated through a combination of XOR operations and SIMD instructions.” The backdoor dynamically reconstructs these elements at runtime, making static analysis exceptionally difficult.
Parallel Campaign: Lazarus Group Deploys Upgraded Malware
In a related development, Gen Digital also uncovered a separate attack by the notorious Lazarus Group (also linked to North Korea) targeting two victims in Canada. This campaign led to the deployment of Comebacker malware and an upgraded version of the BLINDINGCAN RAT (also known as AIRDRY or ZetaNile).
The attackers used two variants of the Comebacker loader (DLL and EXE) to decrypt and deploy the final BLINDINGCAN payload as a Windows service. BLINDINGCAN’s capabilities are vast, including:
- Full file system management (upload, download, delete, alter attributes).
- System reconnaissance (file enumeration, process listing, metadata collection).
- Command execution via
cmd.exeor directly in memory. - Capturing screenshots and pictures from webcams.
- Self-deletion to remove all traces of infection.
