The North Korean group APT Kimsuki was recently identified as involved in a new malicious programme of attacks on government institutions and human rights defenders.
North Korea’s cyber-espionage group Kimsuky (also known as Black Banshee, Thallium, Velvet Chollima) was recently discovered using a new malicious program in attacks on government institutions and human rights defenders.
Kimsuky’s APT group has been analyzed by several security teams, it was first seen by Kaspersky in 2013, the activities were recently investigated in detail by ESTsecurity and a research team from my former company Cybaze ZLab.
At the end of October, the U.S. CERT issued a report on Kimusky’s recent activities, including information about its TTP and infrastructure.
The APT Group focuses primarily on think tanks and organisations in South Korea, while the other victims are in the United States, Europe and Russia.
Researchers from Cybereason’s Nocturnus team have released a new report describing two new PTA-related malware related to North Korea, namely KGH_SPY Modular Spyware and CSPY Downloader. The experts have also identified a new server infrastructure used by cyberspies that overlaps with Kimsuki’s previously identified infrastructure.
Kimsuki is known for its advanced infrastructure that uses freely registered domains, hacked domains and private domains registered by the group. By monitoring the infrastructure, the Nocturnus team was able to detect overlaps with BabyShark malware and other connections to various malware programs such as the AppleSeed backdoor.
KGH_SPY is a modular set of tools that allow attackers to perform reconnaissance, record information, steal information and perform backdoor functions.
CSPY Downloader is a tool designed to bypass the analysis and acts as a loader that delivers extra load.
New malware appears to have been developed recently, but threat actors may have used backdating or timestamping to discourage attempts at analysis (anti-legislation). Researchers believe that the attackers falsified the creation date of most of the files used in the attacks and set it to 2016.
The APT Kimsuky group provided the malware through weapons, with the ultimate goal of cyber espionage, KGH-Browser Stealer was able to filter the stored data from Chrome, Edge, Firefox, Thunderbird, Opera, Winscp.
CSPY Downloader has an anti-analytical technique, it is able to determine whether it runs in a virtual environment or uses a debugger.
Threatened individuals have tried to stay on the radar with a variety of anti-crisis and anti-analytical methods. This included background research on malware creation/compilation until 2016, code obfuscation, anti-VM and debugging methods. At the time of writing, some of the samples mentioned in this report had not yet been found by any supplier of audiovisual equipment, the Nocturnus team concludes. Although the identity of the victims of this campaign remains unclear, there are indications that the infrastructure is intended for organisations involved in human rights violations.
(Security matters – Hacking, Kimsuky APT)