Hackers prefer email attacks as they can easily target many users faster and at a very low cost.
Emails can be crafted to appear legitimate, which makes it easier for threat actors to deceive recipients into clicking malicious links, downloading infected attachments, or even disclosing sensitive information.
Cybersecurity researchers at ASEC recently discovered that North Korean hackers have been actively using the new “HappyDoor” malware used in email attacks.
North Korean ‘HappyDoor’ Malware
HappyDoor is a little-known piece of malware utilized by the Kimsuky group, first seen in 2021 and in action up to 2024.
It remains fresh with recent versions appended with a “happy” marker in version information and debug strings.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
However, like other Kimsuky malicious software (examples include AppleSeed and AlphaSeed), spearphishing emails are employed to distribute HappyDoor, which usually arrives as obfuscated JScript or executable droppers in email attachments.
The thing that distinguishes it from other backdoors is the fact that it operates using specific execution arguments.
Recent instances indicate that Kimsuky’s initial backdoor installations frequently have HappyDoor as one of them, emphasizing its continued importance within their malware lineup.
HappyDoor malware, which was first discovered in 2021 and is active up to 2024, has been continually updated.
Recent samples (December 2023 to February 2024) show monthly patches. However, the malware hard-codes the version information.
.webp)
Execution arguments were introduced from version 4.1 (circa 2023), with operations divided based on these parameters.
The malware’s three stages of infection are ‘install*’ (initial execution), ‘init*’ (setup completion), and ‘run*’ (actual malicious actions).
Later, the argument “install*” was replaced with random strings for obfuscation. This shows how the evolution of this malware keeps being worked on and how attackers try to avoid detection.
HappyDoor operates via regsvr32.exe in three stages:-
This is a self-replicating, scheduler-registering information stealer which additionally permits backdooring.
.webp)
In terms of information theft, the malware has six key functions: screen capture, key logging, file leakage, and the use of the RSA encryption and decryption algorithm for data theft, as well as communication with C&C servers using HTTP.
HappyDoor saves encoded data in registry paths and uses an agreed packet structure to communicate with its peers.
The configuration in the registry controls the information-stealing capabilities of this malware, which works using multi-threads.
.webp)
Once stolen, it is held temporarily and then encrypted before transmission to the C&C server, where it’s destroyed. Other functions include gathering system details and executing certain commands meant for a backdoor.
Here below we have mentioned all the main functions:-
- SCREENSHOT(SSHT)
- KEYLOGGER(KLOG)
- FILEMON(FMON)
- ALARM(AUSB, AMTP)
- MICREC(MREC)
- MTPMON(MMTP)
HappyDoor is associated with the “Kimsuky” group which was linked to North Korea and uses this malware in spear-phishing attacks, installing additional tools for remote access, and data theft.
Researchers urged users to exercise caution with email attachments and update software to prevent infection.
IoC
MD5:-
- d9b15979e76dd5d18c31e62ab9ff7dae
- 4ef5e3ce535f84f975a8212f5630bfe8
- a1c59fec34fec1156e7db27ec16121a7
- c7b82b4bafb677bf0f4397b0b88ccfa2
- 0054bdfe4cac0cb7a717749f8c08f5f3
C&C Server Address:-
- hxxp://app.seoul.minia[.]ml/kinsa.php
- hxxp://users.nya[.]pub/index.php
- hxxp://go.ktspace.pe[.]kr/index.php
- hxxp://on.ktspace.pe[.]kr/index.php
- hxxp://aa.olixa.pe[.]kr/index.php
- hxxp://uo.zosua.or[.]kr/index.php
- hxxp://jp.hyyeo.pe[.]kr/index.php
- hxxp://ai.hyyeo.pe[.]kr/index.php
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free