Kimsuky: North Korean Spies Weaponize AutoIt for Cyber Espionage

In the shadowy world of cyber espionage, the Kimsuky threat group, believed to be backed by North Korea, stands out for its persistent and evolving tactics. Active since 2013, Kimsuky initially focused on South Korean targets, including research institutes and a major energy corporation, before broadening its scope to international espionage from 2017.

Kimsuky’s primary modus operandi has been spear phishing attacks targeting sectors like national defense, the press, and academia to steal sensitive information. Recently, they have shifted to more sophisticated methods, including the use of LNK (shortcut) malware, which evades detection by conventional means.

Malware in script format contained within LNK files | Image: AhnLab

According to a security researcher from AhnLab, a significant development in Kimsuky’s arsenal is the use of AutoIt scripting language to create malware, including RftRAT and Amadey. This shift demonstrates Kimsuky’s adaptability and focus on evading detection. AutoIt, traditionally a legitimate scripting tool for automating the Windows GUI, has been repurposed by Kimsuky to deploy malware stealthily.

1. RftRAT: This backdoor malware, created with AutoIt, is adept at receiving and executing commands from a Command and Control (C&C) server. It’s characterized by its ability to perform a range of functions from exfiltrating data to reverse shell access.
2. Amadey: Initially sold on illegal forums, Amadey, adapted by Kimsuky in AutoIt, serves as a downloader for additional malware. It’s capable of transmitting system information and can even exfiltrate screenshots and saved credentials from web browsers and email clients.

Once Kimsuky gains control of a system, a variety of tools are deployed for information extraction. These include keyloggers, infostealers targeting web browser data, and even Mimikatz and RDP Wrapper for deeper access. The group has been seen to exploit Remote Desktop Protocol (RDP) to maintain control and exfiltrate data.

Kimsuky’s evolution and adaptability in creating and deploying malware, as evidenced by their transition to AutoIt, signify a persistent and advancing threat. Their ability to bypass traditional security measures and employ diverse malware tactics poses a significant challenge to cybersecurity defenses worldwide.

The continuous evolution of Kimsuky’s techniques underscores the importance of staying ahead in cybersecurity measures. Organizations, especially those in sensitive sectors, need to be vigilant, employing advanced detection and defense strategies to counter these sophisticated and adaptive threats.