"The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea. Gen Digital, which disclosed details of the activity, did not reveal any details on when the incident occurred, but noted that the phishing email contained a ZIP file ("250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip"), which masqueraded as a VPN invoice to distribute malware capable of file transfer, capturing screenshots, and executing arbitrary commands."
"The chain has three steps: a small dropper, a loader called MemLoad, and the final backdoor, named 'HttpTroy,'" security researcher Alexandru-Cristian Bardaș said. Present within the ZIP archive is a SCR file of the same name, opening which triggered the execution chain, starting with a Golang binary containing three embedded files, including a decoy PDF document that's displayed to the victim to avoid raising any suspicion."
A spear-phishing ZIP file named "250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip" masqueraded as a VPN invoice and delivered a SCR that initiated an execution chain. The chain consists of a small dropper, a loader called MemLoad, and the HttpTroy DLL backdoor. The Golang dropper contains three embedded files, including a decoy PDF displayed to the victim. MemLoad creates persistence via a scheduled task named "AhnlabUpdate", decrypts and executes the HttpTroy backdoor. HttpTroy enables file upload/download, screenshot capture, elevated command execution, in-memory executable loading, reverse shell, process termination, and trace removal. The backdoor communicates with load.auraria[.]org over HTTP POST and uses custom API hashing, XOR and SIMD string obfuscation.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]