Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced Persistent Threat (APT) group, deploying intricately crafted PowerShell payloads to deliver the XWorm Remote Access Trojan (RAT).

This operation showcases the group’s advanced tactics, leveraging encoded scripts and multi-stage attack chains to infiltrate systems, bypass traditional security mechanisms, and establish covert remote control over compromised networks.

The campaign, characterized by its stealth and obfuscation, targets victims with the intent of data exfiltration and persistent access, often evading detection through fileless execution and Living-off-the-Land Binaries and Scripts (LOLBAS) techniques.

Sophisticated Multi-Stage Malware Campaign

The attack begins with Base64-encoded PowerShell scripts acting as initial vectors, which, upon decoding, reveal a complex sequence of malicious activities.

According to the Report, these scripts download a variety of files, including RAR archives, executable binaries like orwartde.exe, and additional PowerShell scripts disguised as innocuous text files, from a single malicious IP address.

Both Kimsuky’s APT payloads and the XWorm RAT components are retrieved from IPs identified as 185.235.128.114 and 92.119.114.128, establishing active command-and-control (C2) communication for fetching further payloads and exfiltrating sensitive data.

A notable tactic includes the use of inline C# code within PowerShell to hide terminal windows using the Win32 API ShowWindow, ensuring that malicious processes remain invisible to users.

Additionally, the campaign employs deceptive measures like downloading decoy PDF files to distract victims while background processes execute payloads such as eworvolt.exe and enwtsv.exe, often run multiple times to ensure successful deployment or trigger distinct malware stages.

Payload Delivery Tactics

The final stage involves dynamically renaming and executing scripts with ExecutionPolicy Bypass to maintain persistence, alongside tactics like disabling Windows Event Logging as mapped to MITRE ATT&CK techniques for defense evasion.

Further intricacies in the attack chain include the extraction of password-protected archives using tools like UnRAR.exe, followed by delayed execution to synchronize multi-step processes.

The extracted content, often hidden payloads within files like ov_er15z.txt, is executed via Invoke-Expression, marking a critical point of compromise where the core malicious intent be it remote access, keylogging, or information theft is unleashed.

This campaign’s reliance on obfuscation, non-standard data encoding for C2 communication, and extensive use of system binaries for discovery and execution highlights the evolving sophistication of Kimsuky’s operations in targeting high-value entities, potentially bypassing hypervisors to gain RDP access to victims’ actual IP addresses.

Indicators of Compromise (IOCs)