HappyDoor Malware's Continuous Development by Kimsuky

The evolving threat posed by the HappyDoor malware, attributed to the North Korean threat actor group Kimsuky (aka. Black Banshee, Emerald Sleet, Springtail, THALLIUM, Velvet Chollima), is unveiled in a report by AhnLab Security Intelligence Center (ASEC). Initially identified in 2021, HappyDoor has seen continuous updates, with its latest version observed in January 2024. The malware is named "Happy" due to the strings found in its debug data, which has been maintained and updated regularly. HappyDoor's capabilities are notable for information-stealing and acting as a backdoor. It can capture screenshots, log keystrokes, leak files, gather information from connected devices, record audio, and extract files from Android devices. The malware encrypts the stolen data using RSA and RC4 keys before exfiltration and features backdoor capabilities to maintain access and control.

HappyDoor is typically distributed via spear-phishing emails, which contain attachments that deploy the malware. The infection chain begins with a JavaScript file that executes PowerShell commands to decode a base64-encoded HappyDoor payload using certutil. This payload is then executed via regsvr32.exe as HappyDoor "is ultimately a DLL." To ensure persistence, the malware creates a scheduled task that re-executes HappyDoor every five minutes. Further tools used by Kimsuky operators to secure their access include ngrok for proxy tunneling, Chrome Remote Desktop, or RDP Wrapper.HappyDoor's configuration data, including command and control (C2) server addresses and encryption keys, are stored in the Windows registry, specifically under Notepad and FTP entries.

HappyDoor communicates with its C2 servers using a custom packet structure, facilitating the exfiltration of stolen data. This structured communication allows the malware to perform various backdoor activities, including executing commands and uploading files, thereby aiding Kimsuky in its cyber espionage objectives. HappyDoor is pivotal for Kimsuky as it is under continuous development.