North Koreas Kimsuky Doubles Down on Remote Desktop Control

The sophisticated APT employs various tactics to abuse Windows and other built-in protocols with both custom and public malware to take over victim systems.

North Koreas
Kimsuky
advanced persistent threat (APT) continues to evolve its attack methods and grow in sophistication, expanding its ability to control victims systems with the use of legitimate system remote-desktop tools and novel custom malware in its latest attacks.
The threat group — one of several that work at the behest of North Korean Supreme Leader Kim Jong-Un — recently has been spotted abusing Remote Desktop Protocol (RDP) and other tools that allow it to remotely take over targeted systems, even installing open source software to an environment if RDP is not present, researchers from South Koreas AhnLab revealed
in a blog post
Oct. 18.
The
Kimsuky threat group
is continuously abusing RDP to obtain control over infected systems and exfiltrate information, according to the post by the AhnLab Security Response Center. RDP can also be used in the initial access process using brute force and dictionary attacks, or during lateral movement.
Kimsuky
, active since 2013 to commit cyber espionage on the behalf of Jong-Uns regime, is also evolving tactics beyond this protocol to gain remote control of compromised desktop systems in recent attacks, according to the researchers.
In addition to RDP abuse, the group is wielding the open-source virtual network computing (VNC) tool TightVNC, which is similar to RDP in that its a screen-sharing system for remote control of other computers. In some cases, the group even tapped Chrome Remote Desktop, which is supported by the Google Chrome browser, to control infected systems, the researchers said.
Overall, recent attacks show Kimsuky continuing to use spear phishing as its initial method of access to compromise systems with
BabyShark,
its oft-used custom malware for persistence and the collection of system info, before attackers move on to installing other custom-built and open source malware.
The group also has added new post-compromise malware to its arsenal, leveraging RevClient to send commands from its command-and-control (C2) server to add user accounts to a victims system, and public malware TinyNuke, a banking Trojan.
As is typical, the ultimate goal after gaining control of systems is to steal internal information and technology from its targets, which are typically research, defense, diplomatic, and academic sectors in South Korea but also other countries that demonstrate a political or strategic interest for the regime.
One particularly interesting bit of novel RDP functionality that Kimsuky has been seen wielding recently is the ability to support multiple sessions of RDP on a Windows system — something that Windows desktop OS natively does not allow.
Ordinarily in Windows desktop environments, only one session is supported when connecting via RDP, unlike servers, according to the post. As only one session is supported for one system, even if the user accounts are different, when the threat actor remotely connects to a system, the existing users session is terminated.
In previous attacks, Kimsuky used Mimikatz and other malware to patch the memory of the currently running RDP service process to bypass the single-session limit. However, in recent attacks, the group now is using malware named multiple.exe to support multiple-session RDP, as well as to add user accounts for further control.
The novel malware RevClient that the group deploys in recent attacks also has features similar to multiple.exe but executes multiple-session capability in a different way, according to the researchers. Kimsuky also is leveraging RevClient to receive commands from C2 to perform user account-related tasks as part of its overall control of a compromised system.
With lines beginning to blur between Kimsuky and other North Korea-sponsored groups like Lazarus as they organize and align to
share tools and tactics
, its important that organizations do what they can to protect themselves against these
evolving threats
, according to AhnLab.
RDP is an especially sensitive attack surface because its one of the services that come pre-installed in Windows systems, demanding adequate management to detect or prevent such incidents of compromise.
To do this, users should refrain from opening attachments on suspicious emails or when installing external software and instead only purchase or download them from official websites, the researchers noted. Desktop users also should set complex passwords for their accounts and change them periodically to diminish chances that they can be brute-forced.
Updating to the latest and most secure versions of the Windows OS and employing endpoint security products as well as sandbox-based APT solutions can also help protect systems against cyberattacks.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
North Koreas Kimsuky Doubles Down on Remote Desktop Control