Cybersecurity experts have uncovered a sophisticated campaign by North Korea’s Kimsuky group, employing a custom-built RDP Wrapper to gain unauthorized access to compromised machines.
This marks another alarming evolution in the group’s cyber-espionage tactics, targeting organizations globally.
The Kimsuky group, known for its advanced persistent threat (APT) campaigns, uses spear-phishing emails to distribute malicious shortcut files (*.LNK).
.png
)
These files execute PowerShell or Mshta commands to download malware payloads such as PebbleDash and the custom RDP Wrapper.
ASEC analysts detected that the RDP Wrapper enables remote desktop functionality on systems where it is disabled by default or restricted by licensing limitations.
Unlike the widely available open-source RDP Wrapper, Kimsuky’s version incorporates unique export functions designed to bypass antivirus detection.
For example, the wrapper modifies system files like termsrv.dll and registers itself as a service, allowing attackers to establish multiple RDP sessions stealthily.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net user /add default 1qaz2wsx#EDC
net localgroup Administrators default /addAttack Analysis
The custom RDP Wrapper includes export functions such as ServiceMain and StringFinder, which are obfuscated to evade detection. Below is an example of the wrapper’s export table:-
| Ordinal | RVA | Name RVA | Name |
|---|---|---|---|
| 1 | 0x00001000 | 0x0001F19C | GetWindowTextInfo |
| 2 | 0x00001ED0 | 0x0001F1AE | ServiceMain |
| 3 | 0x00001F10 | 0x0001F1BA | SvchostPushServiceGlobals |
.webp)
Additionally, the attackers deploy proxy malware to bypass private network restrictions. These tools create mutexes like “MYLPROJECT” and “LPROXYMUTEX” to facilitate external access via reverse tunneling.
Here below we have mentioned the additional malware components:-
- KeyLogger: Captures keystrokes and stores them in hidden files such as
C:\Programdata\jLog.txt. - Infostealer: Extracts credentials from Chromium-based browsers using NTFS parsing libraries.
- ReflectiveLoader: A PowerShell script that injects malicious payloads into memory.
[Byte[]]$bytes = [System.IO.File]::ReadAllBytes($ZzPath);
$bytes[10] = 0x1f;
if ($e_magic -ne 'MZ') {
throw 'PE is not a valid PE file.'
}.webp)
By enabling remote desktop access, attackers can exfiltrate sensitive data, conduct lateral movement within networks, and maintain persistent access.
.webp)
To mitigate these risks, organizations should disable unnecessary remote desktop services, monitor for unusual registry modifications or the creation of additional user accounts, and use endpoint detection tools capable of identifying obfuscated malware.
Moreover, applying regular security patches and updates is essential to maintain overall system security.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
