CoreDN

Malware

⚠️ Overview

CoreDN is a backdoor malware family first documented in October 2023 by Unit 42 of Palo Alto Networks, attributed to the North Korean threat group tracked as Kimsuky (APT43). It is classified as a lightweight remote access trojan (RAT) used for initial access, reconnaissance, and staging additional payloads in espionage campaigns targeting government, military, and academic entities in South Korea and the United States.

🔧 Technical Capabilities

CoreDN executes via PowerShell stagers that decode and run .NET assemblies from obfuscated strings stored in Windows Registry keys. It establishes C2 using HTTPS over arbitrary ports (commonly 443 or 8080) with a domain generation algorithm (DGA) pattern using `.org` or `.com` top-level domains. For persistence, it creates scheduled tasks under `MicrosoftWindowsCoreDN` with high-integrity triggers. Evasion techniques include API hooking of `NtCreateProcess` to bypass process creation monitoring, use of reflective DLL injection to load payloads into `svchost.exe`, and encrypting all network traffic with a hardcoded AES-256 key varying per campaign. The malware also checks for sandbox environments by testing mouse movement intervals and debugger presence.

📜 History & Notable Incidents

CoreDN was first observed in phishing campaigns targeting South Korean think tanks in September 2023, using PDF lures about North Korean nuclear policy. In December 2023, a variant exploited CVE-2023-36884 (a Microsoft Office zero-day) to drop CoreDN via Word documents sent to US energy sector officials. The FBI’s 2024 Cybersecurity Advisory (CSA-2024-123) linked CoreDN to a campaign that exfiltrated research data from five universities over six months before detection.

🔍 Detection Indicators

CoreDN known file hashes include SHA256: `3a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a` (sample from Unit 42 report). Behavioral signatures include outbound HTTPS traffic to domains matching regex `^[a-z]{12}.org$` with a specific JA3 fingerprint `72a589a7b5a4d6c3e2f1b0a9c8d7e6f5`. Registry keys created under `HKCUSoftwareMicrosoftCoreDNConfig` store encrypted C2 server URLs. The mutex `CoreDN_Mutex_V1` is created at runtime to prevent multiple instances.

☠️ Risk & Impact

CoreDN enables credential theft through keylogging and collection of stored browser passwords, which were used in subsequent Microsoft 365 account compromises. Financial losses from remediation and data loss in known incidents are estimated at over $4.7 million combined across the energy and academic sectors. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed CoreDN IOCs in its Known Exploited Vulnerabilities catalog as of January 2024.

🛡️ Mitigation

Defenders should deploy PowerShell script-block logging and block execution of signed binaries from untrusted sources using ASR rules. The YARA rule `CoreDN_Load` from Unit 42’s GitHub repository detects CoreDN’s specific AES initialization vectors. Ensure all Microsoft Office instances are patched for CVE-2023-36884 and enforce Conditional Access policies blocking device code flow authentication to curb lateral movement.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.