An alert released by the United States this week provides information on Kimsuky, a threat actor focused on gathering intelligence on behalf of the North Korean government.
Issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Cyber Command Cyber National Mission Force (CNMF), the advisory notes that the adversary has been active since at least 2012, engaging in social engineering, spear-phishing, and watering hole attacks.
The malicious cyber activity associated with the North Korean government is typically referred to as HIDDEN COBRA by the United States.
Kimsuky, the alert says, targets individuals and organizations located in Japan, South Korea, and the United States, and is mainly focused on gathering intelligence on “foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.”
Targets include entities associated with the South Korean government, individuals who are believed to be experts in various fields, and think tanks.
For initial access, Kimsuky uses spear-phishing with malicious attachments, and various social engineering methods. However, the threat actor would also send benign emails to gain victims’ trust. Malicious scripts and tools are hosted using stolen web hosting credentials, the alert reads.
The adversary was observed posing as South Korean reporters and engaging with intended targets to claim to be arranging interviews on inter-Korean issues and denuclearization negotiations. To one recipient who agreed to an interview, Kimsuky sent a malicious document in a subsequent email, to infect the victim with a variant of the BabyShark malware.
The employed spear-phishing emails were tailored to topics deemed relevant to the target, including the current COVID-19 crisis, the North Korean nuclear program, and media interviews.
Kimsuky, the advisory reads, also uses login-security-alert-themed phishing emails for initial access, along with watering hole attacks, malware delivered via torrent sharing sites, and malicious browser extensions served to their victims.
Following initial access, the threat actor uses mshta.exe to fetch and execute an HTML application (HTA) file that downloads and runs the encoded BabyShark VBS file. The script achieves persistence through a registry key, and collects system information and sends it to the operator’s command and control (C&C) servers.
The adversary would also employ PowerShell for the execution of files directly in memory and to achieve persistence through malicious browser extensions, altered system processes, Remote Desktop Protocol (RDP), and by changing the autostart execution and default file association for an application.
In 2018, during a campaign referred to as STOLEN PENCIL, Kimsuky used the GREASE malware, which adds a Windows administrator account and abuses RDP to provide attackers with access to the compromised systems.
For information gathering purposes, Kimsuky targets Hangul Word Processor (HWP) and Microsoft Office documents, and uses web shells for file upload, download, and deletion.
To escalate privileges, the threat actor uses scripts placed in the Startup folder, newly created services, modified file associations, and malicious code injected into explorer.exe. The Win7Elevate exploit from the Metasploit framework was used to bypass the User Account Control to inject code into explorer.exe.
In their joint alert, CISA, the FBI and USCYBERCOM also provide information on methods Kimsuky employs for defense evasion, its use of various tools for credential harvesting, memory dumping, and system information enumeration, how system data is collected, and the targeting of macOS systems.
The advisory also provides details on the employed C&C and data exfiltration, also noting that the threat actor’s activities are limited to information harvesting, and are not destructive in nature.