PEBBLEDASH
PEBBLEDASH is a Windows backdoor/Trojan malware family and beaconing implant associated with North Korean threat activity. U.S. government reporting identifies it as a HIDDEN COBRA malware variant used by the North Korean government, while multiple other sources describe it as a NukeSped variant historically associated with Lazarus and later used by Kimsuky. The content also notes overlap with Lazarus-linked Manuscrypt reporting and states that Kimsuky has propagated PEBBLEDASH in multi-stage spear-phishing infection chains.
The malware is described as a full-featured implant that uses FakeTLS for session authentication and traffic obfuscation and RC4 for post-handshake encrypted communications. Reported capabilities include downloading, uploading, deleting, and executing files; enabling Windows command-line access; creating and terminating processes; and performing target system enumeration. The analyzed sample dynamically resolves APIs from obfuscated strings and obfuscates callback descriptors such as IP addresses and ports with custom XOR routines.
Within Kimsuky operations, PebbleDash is one of two major malware families delivered by droppers written in JSE, PIF, SCR, and EXE formats, often via spear-phishing attachments disguised as documents or installers. AhnLab and Kaspersky reporting in the content describe PebbleDash and AppleSeed as persistent backdoors used by Kimsuky after initial compromise. Kimsuky is further described as developing PebbleDash-based tools and variants including HelloDoor, HttpMalice, MemLoad, and HttpTroy. Reported targeting tied to these campaigns includes South Korean public and private organizations, especially defense, military, government, healthcare, and corporate sectors, with additional PebbleDash activity observed against defense-related entities in Brazil and Germany.
High-confidence indicators directly mentioned in the content for the U.S. government-analyzed sample include C2 endpoint 112.217.108.138:443, MD5 d2de01858417fa3b580b3a95857847d5, and SHA256 aab2868a6ebc6bdee5bd12104191db9fc1950b30bcf96eab99801624651e77b6.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
5.3. Privilege Escalation …….. 5.3.1. UACMe …….. 5.3.2. CVE-2021-1675 Vulnerability
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A variant of this technique has been previously observed in the Pebbledash malware.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
They then utilize a PowerShell script to create a task scheduler and register it for automatic execution.
It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
Should the victim click anywhere on the page, a PowerShell command embedded within the HTML is executed to reach out to an external server and download a next-stage PowerShell payload.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
The sample obfuscates strings used for API lookups using a custom XOR algorithm... The sample obfuscates its callback descriptors (IP address and ports) using a different custom XOR algorithm.
The sample performs dynamic dynamic link library (DLL) importing and application programming interface (API) lookups using LoadLibrary and GetProcAddress on obfuscated strings in an attempt to hide it’s usage of network functions.
Normally, malware strains assumed to be attachments of spear phishing attack emails are disguised as document files. If a user runs the file, malware of this type runs the document that corresponds to the disguised file name and tricks the user into thinking that they have opened a normal file.
Credential Access
1 technique
Credential Access
Discovery
1 technique
Discovery
This sample uses FakeTLS for session authentication and for network encoding utilizing RC4. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration.
Command and Control
6 techniques
Command and Control
The sample utilizes a “FakeTLS” scheme in an attempt to obfuscate its network communications. The sample and the command and control (C2) externally appear to perform a standard TLS authentication, however, most of the fields used are filled with random data from rand().
They are both backdoors used by the Kimsuky group that can stay in the system and perform malicious behaviors by receiving commands from the attacker... 3.3. C&C Communications Using Emails ... Ping Thread (SMTP) ... Command Thread (IMAP) ... 4.1.3. C&C Communications ... 4.2.3. C&C Communications
FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.
Through communication with a Dropbox and TCP socket-based C&C server, the group installs multiple malware and tools including PEBBLEDASH.
Exfiltration
1 technique
Exfiltration
The findings also dovetail with spear-phishing campaigns orchestrated by Kimsuky to target government agencies in South Korea by delivering a stealer malware capable of establishing command-and-control (C2 or C&C) communications and exfiltrating files, web browser data, and cryptocurrency wallet information.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware family for which Kimsuky is deploying variants in recent campaigns.
A malware family used by Kimsuky and delivered through multiple dropper formats. Its variants include HelloDoor and HttpMalice, and the cluster demonstrates advanced remote control capabilities.
Kimsuky targets organizations with PebbleDash-based tools
PebbleDash is referenced as the malware/tool family underlying newly disclosed tools used by Kimsuky.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.