The North Korean APT group known as Kimsuky, Black Banshee, Velvet Chollima and Thallim is actively attacking commercial-sector businesses, often by posing as South Korean reporters, according to an alert from the CISA.
Kimsuky (Hidden Cobra or Lazarus) has been known since 2012, mainly targeting think tanks in South Korea, but more recently expanding operations to the United States, Europe, and Russia with the help of the regime in Pyongyang. Its mission is global intelligence gathering, CISA noted, which usually starts with spearphishing emails, watering-hole attacks, torrent shares and malicious browser extensions, in order to gain an initial foothold in target networks. Primary targets include think-tanks, and diplomatic and high-level organizations in Japan, South Korea and the United States, with a focus on foreign policy and national-security issues related to the Korean peninsula, nuclear policy and sanctions, CISA added. It also targets the cryptocurrency industry.
In recent campaigns observed during summer 2020, the group ultimately sent malicious attachments embedded in spearphishing emails to gain initial access to victim organizations, according to this report by CISA published on October 17.
But the malicious content was deployed only after several initial exchanges with the target meant to build trust: “Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport,” according to CISA. “The emails contained the subject line, ‘Skype Interview requests of [TV show] in Seoul,’ and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula.”
After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document. And when the date of the interview got closer, the purported reporter sent an email canceling the interview. After obtaining initial access, the APT group ultimately deployed the BabyShark malware and PowerShell or the Windows Command Shell for execution. The infection routine typically used is multi-staged, according to CISA, which included a deep-dive into the group’s recent TTPs.
“First, the compromised host system uses the native Microsoft Windows utility, mshta.exe, to download and execute an HTML application (HTA) file from a remote system,” CISA explained. “The HTA file then downloads, decodes and executes the encoded BabyShark VBS file. The script maintains persistence by creating a registry key that runs on startup. It then collects system information, sends it to the operator’s command-and-control (C2) servers, and awaits further commands.”
Kimsuky performs fileless attacks: It uses PowerShell to run executables from the internet without touching the physical hard disk on a computer by using the target’s memory. It also uses well-known methods for privilege escalation to move laterally, including placing scripts in the Startup folder, creating and running new services, changing default file associations and injecting malicious code in explorer.exe, CISA said. In addition, the group makes use of Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account Control to inject malicious code into explorer.exe.
“This malicious code decrypts its spying library—a collection of keystroke-logging and remote-control access tools, and remote-control download and execution tools—from resources, regardless of the victim’s operating system,” according to CISA. “It then saves the decrypted file to a disk with a random but hardcoded name in the user’s temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. This allows for the escalation of privileges.”
Kimsuky uses stolen web-hosting credentials from victims outside of its usual targets to host its arsenal of weapons and harvest credentials from web browsers, files and keyloggers. “Kimsuky likely obtained the credentials from the victims via spearphishing and credential-harvesting scripts,” according to the CISA alert. “On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.”
CISA also noted that Kimsuky uses a number of legitimate tools mixed with proprietary weapons: “Kimsuky uses memory-dump programs instead of using well-known malicious software and performs the credential extraction offline,” according to the alert. “Kimsuky uses ProcDump, a Windows command line administration tool, also available for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain criteria, such as high central processing unit (CPU) utilization. ProcDump monitors for CPU spikes and generates a crash dump when a value is met; it passes information to a Word document saved on the computer. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion of ProcDump in the BabyShark malware.”
CISA found that Kimsuky also uses modified versions of PHProxy, an open-source web proxy written in PHP, to examine web traffic between victims and the websites accessed by the victims, and to collect any credentials entered. Meanwhile, the APT group leverages the victim’s operating system command prompt to enumerate the file structure and system information. Legitimate tools aside, it has its own set of malicious tools as well. For instance, Kimsuky has been seen abusing a Chrome extension to steal passwords and cookies from browsers. Kimsuky also uses a PowerShell-based keylogger and cryptominer named MECHANICAL, and a network-sniffing tool, named Nirsoft SniffPass, which is capable of obtaining passwords sent over non-secure protocols.
“The keylogger intercepts keystrokes and writes them to C:\Program Files\Common Files\System\Ole DB\msolui80.inc and records the active window name where the user pressed keys,” according to CISA. “There is another keylogger variant that logs keystrokes into C:\WINDOWS\setup.log.” Kimsuky meanwhile collects data from the victim’s system through a HWP document malware, which changes the default program association in the Registry to open HWP documents. On the macOS, Kimsuky has used a Python implant that gathers data from macOS systems and sends it to a C2 server. The Python program also downloads various implants based on C2 options.
The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports. There are extensive reports on many of the threats mentioned in this article that can be found at https://redskyalliance.org. There is no charge for these reports and articles posted.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org.
Weekly Cyber Intelligence Briefings: