First discovered in 2021, a previously unknown malware utilized by cybercriminals persists and is being actively updated. It is now termed “HappyDoor” due to the presence of the string “happy” in various locations within its code and exhibits backdoor functionalities along with data theft capabilities.
Hardcoded version information within the malware binary suggests continuous patching by the attackers, potentially to bypass security measures.
Method of Distribution:
The Kimsuky group is distributing malware, including AppleSeed and HappyDoor, through spear phishing emails with attachments, containing compressed files with JScript or a dropper.
When executed, the JScript creates and runs a legitimate bait file, then decodes and runs a malicious backdoor (HappyDoor or AppleSeed) based on the execution argument.
The argument includes an asterisk (*) and functions differently depending on the specific string following the asterisk, which allows Kimsuky to distinguish between different backdoors and potentially use HappyDoor for the initial infection.
HappyDoor malware has been actively developed since its first discovery in 2021. Researchers observed continuous updates, with versions released at least monthly between December 2023 and February 2024.
Execution arguments, introduced in version 4.1 (May 2023) and following a pattern of “install* for initial execution, “init*” after setup, and “run*” for malicious actions, affect the functionality of the malware. While the latest versions utilize obfuscated random strings instead of the initial “install*,”.
The malware stores its configuration data in two registry paths, mimicking legitimate software. The “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\IfChar” value stores encrypted information, including a backdoor encryption switch, data collection intervals, and screenshot resolutions.
The “HKEY_CURRENT_USER\Software\Microsoft\FTP\Use Https” value stores randomly generated user IDs for packet authentication and a variable number of C&C server addresses for stolen data exfiltration and remote control.
It uses HTTP to communicate with its C&C server, as the communication involves three packet types, where the first type authenticates with the server.
The second type leaks information like screenshots and keystrokes by sending data chunks and file information to the server, and the third type enables remote control by exchanging commands with the server.
HappyDoor malware uses a custom packet structure for communication with its server, which is 0x40 bytes long and relies on five verification fields for authentication, while the first four bytes are random, followed by three presumed version bytes.
A randomly generated user ID and a fixed signature value come next. The final section comprises a packet type indicator (connection check, data transfer, backdoor), file information (for data transfers), or a backdoor command ID, as server responses are validated against these verification fields.
According to AhnLab, the HappyDoor malware is a multifaceted information stealer with backdoor capabilities and can capture screenshots, keystrokes, files, and audio recordings by collecting information about the system and the malware itself.
It can also be instructed to perform various actions remotely, including running commands, uploading/downloading files, and modifying its configuration. Stolen information is encrypted with RSA and RC4 before being exfiltrated to the attacker’s server.