The Kimsuky Module Is a New Threat

Merely a week after the US government’s issuance of the advisory about the North Korean hackers, state-sponsored hackers as they specifically mention, a critical finding surfaces – the advanced persistent threat ‘Kimsuky’ (also known as the ‘Black Banshee’, ‘Thallium’, and many others) have been linked to as many as three earlier cyberattacks.

This threat actor is suspected to be in action since 2012, maybe even earlier. This group has a very rich history of past cybercrimes around the globe. Their earlier targets were mainly the South Korean think tanks. But over the years their actions have expanded significantly, and they are suspected to have attacked many countries like the US, Russia, and many countries of the European Union.

FBI and departments of Defense and Homeland Security jointly released a memorandum last week that lists all the details about this group and their potential techniques.

How they operate
Their targets

How they operate

Recently, this malicious group has been suspected to lead a number of campaigns with email lures. The mails would generally contain word documents as their infection vector. This way the actors get access to the victim system and can launch malware attacks.

The Kimsuky module has been found to mainly target the foreign policy and national security issues concerned to Korea. According to the experts, they have acquired new capabilities in recent times. They are found to use a modular spyware suit called ‘KGH_SPY’. This makes them capable of performing reconnaissance attacks on the victim and steal sensitive info.

The ‘KGH_SPY’ suit gives them further capabilities. This spyware can download secondary payloads from a command-and-control server, execute arbitrarily commands via the command-line tool, and harvest documents from browsers or mail clients.

The researchers have also unearthed a new malware called ‘CSPY Downloader’ designed to prevent analysis and download even more payloads.

The researchers also found out a new toolset registered between 2019-20. Quite suspiciously it overlaps with their infamous BabyShark malware attack on the US think tanks. The group had employed a serious amount of time and labor to get past all the tracking and analysis tools without detection.

Their primary angle of attack has been through spear-phishing and social engineering. Spear-phishing is a well-known technique that involves sending emails appearing to be from a trusted source often leading to the victim revealing confidential or sensitive information.

Their targets

They have been found to mainly target individuals considered to be an expert or authority of some field. They have targeted many persons including think tanks, and south Korean government personals. The Kimsuky module has been found to also pose as South Korean journalists to send emails containing the BabyShark malware.

They had used various anti-forensics and anti-analysis techniques to continue remaining under the radar. Some of these techniques included, but not limited to, altering the timestamp (e.g. backdating the compilation time to 2016), unnecessary code obfuscation, and anti-VM techniques.

The true identity of the actors remains to be unclear. Nothing very substantial or concrete is still known about them. The same is true for the identity of the victims of this APT. Although, some telltale signs suggest their primary victims were organizations dealing with human rights violations.

Other useful articles: