North Korean Hackers Use Custom-Made RDP Wrapper To Activate Remote Desktop on Hacked Machines

Cybersecurity experts have uncovered a sophisticated campaign by North Korea’s Kimsuky group, employing a custom-built RDP Wrapper to gain unauthorized access to compromised machines.

This marks another alarming evolution in the group’s cyber-espionage tactics, targeting organizations globally.

The Kimsuky group, known for its advanced persistent threat (APT) campaigns, uses spear-phishing emails to distribute malicious shortcut files (*.LNK).

These files execute PowerShell or Mshta commands to download malware payloads such as PebbleDash and the custom RDP Wrapper.

ASEC analysts detected that the RDP Wrapper enables remote desktop functionality on systems where it is disabled by default or restricted by licensing limitations.

Unlike the widely available open-source RDP Wrapper, Kimsuky’s version incorporates unique export functions designed to bypass antivirus detection.

google

For example, the wrapper modifies system files like termsrv.dll and registers itself as a service, allowing attackers to establish multiple RDP sessions stealthily.

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net user /add default 1qaz2wsx#EDC
net localgroup Administrators default /add

Attack Analysis

The custom RDP Wrapper includes export functions such as ServiceMain and StringFinder, which are obfuscated to evade detection. Below is an example of the wrapper’s export table:-

OrdinalRVAName RVAName
10x000010000x0001F19CGetWindowTextInfo
20x00001ED00x0001F1AEServiceMain
30x00001F100x0001F1BASvchostPushServiceGlobals
Export functions of Kimsuky’s RDP Wrapper (Source – ASEC)

Additionally, the attackers deploy proxy malware to bypass private network restrictions. These tools create mutexes like “MYLPROJECT” and “LPROXYMUTEX” to facilitate external access via reverse tunneling.

Here below we have mentioned the additional malware components:-

  • KeyLogger: Captures keystrokes and stores them in hidden files such as C:\Programdata\jLog.txt.
  • Infostealer: Extracts credentials from Chromium-based browsers using NTFS parsing libraries.
  • ReflectiveLoader: A PowerShell script that injects malicious payloads into memory.
[Byte[]]$bytes = [System.IO.File]::ReadAllBytes($ZzPath);
$bytes[10] = 0x1f;
if ($e_magic -ne 'MZ') {
    throw 'PE is not a valid PE file.'
}
Obfuscated ReflectiveLoader script (Source – ASEC)

By enabling remote desktop access, attackers can exfiltrate sensitive data, conduct lateral movement within networks, and maintain persistent access.

PowerShell process installing PebbleDash dropper (Source – ASEC)

To mitigate these risks, organizations should disable unnecessary remote desktop services, monitor for unusual registry modifications or the creation of additional user accounts, and use endpoint detection tools capable of identifying obfuscated malware.

Moreover, applying regular security patches and updates is essential to maintain overall system security.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

googlenews
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.