New Httptroy Backdoor Poses As VPN Invoice In Targeted Cyberattack...

The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea.

Gen Digital, which disclosed details of the activity, did not reveal any details on when the incident occurred, but noted that the phishing email contained a ZIP file ("250908_A_HK이노션_SecuwaySSL VPN Manager U100S 100user_견적서.zip"), which masqueraded as a VPN invoice to distribute malware capable of file transfer, capturing screenshots, and executing arbitrary commands.

"The chain has three steps: a small dropper, a loader called MemLoad, and the final backdoor, named 'HttpTroy,'" security researcher Alexandru-Cristian Bardaș said.

Present within the ZIP archive is a SCR file of the same name, opening which triggered the execution chain, starting with a Golang binary containing three embedded files, including a decoy PDF document that's displayed to the victim to avoid raising any suspicion.

Also launched simultaneously in the background is MemLoad, which is responsible for setting up persistence on the host by means of a scheduled task named "AhnlabUpdate," an attempt to impersonate AhnLab, a South Korean cybersecurity company, and decrypt and execute the DLL backdoor ("HttpTroy").

The implant allows the attackers to gain complete control over the compromised system, enabling file upload/download, screenshot capture, command execution with elevated privileges, in-memory loading of executables, reverse shell, process termination, and trace removal. It communicates with the command-and-control (C2) server ("load.auraria[.]org") over HTTP POST requests.

"HttpTroy employs multiple layers of obfuscation to hinder analysis and detection," Bardaș explained. "API calls are concealed using custom hashing techniques, while strings are obfuscated through a combination of XOR operations and SIMD instructions. Notably, the backdoor avoids reusing API hashes and strings. Instead, it dynamically reconstructs them during runtime using varied combinations of arithmetic and logical operations, further complicating static analysis."

The findings come as the cybersecurity vendor also detailed a Lazarus Group attack that led to the deployment of Comebacker and an upgraded version of its BLINDINGCAN (aka AIRDRY or ZetaNile) remote access trojan. The attack targeted two victims in Canada and was detected in the "middle of the attack chain," it added.

While the exact i

Source: The Hacker News