Kimsuky Group’s New Backdoor (HappyDoor)

July 8, 2024, 7:26 p.m.

Description

This report provides a detailed analysis of the HappyDoor malware, a new backdoor utilized by the Kimsuky threat group known for targeting organizations with spear-phishing attacks. The malware employs sophisticated techniques like self-duplication, hidden execution paths, and encrypted communication to maintain persistence and evade detection. HappyDoor is equipped with various malicious capabilities, including information theft through keylogging, file exfiltration, and voice recording, as well as backdoor functionalities allowing remote control and code execution. The analysis covers the malware's distribution methods, execution flow, communication protocols, registry configurations, and a comprehensive list of its features.

Date

Published: July 8, 2024, 6:34 p.m.

Created: July 8, 2024, 6:34 p.m.

Modified: July 8, 2024, 7:26 p.m.

Indicators

uo.zosua.o-r.kr

syrsd.p-e.kr

on.ktspace.p-e.kr

jp.hyyeo.p-e.kr

go.ktspace.p-e.kr

aa.olixa.p-e.kr

ai.hyyeo.p-e.kr

Attack Patterns

HappyDoor

Kimsuky

T1124

T1136

T1113

T1573

T1489

T1486

T1564

T1105

T1083

T1592

T1027

T1566