The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the US Cyber Command Cyber National Mission Force (CNMF) have released a joint alert detailing the activities of a North Korean advanced persistent threat group known as Kimsuky which is conducting cyber espionage operations aimed at organizations across the globe.
Active since at least 2012, the Kimsuky APT primarily targets South Korean entities, but has been observed conducting cyber espionage campaigns against individuals and organizations in Japan and the US. The group is focused on gathering intelligence on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions and specifically targets individuals identified as experts in various fields and think tanks, as well as South Korean government agencies, the security alert said.
In order to gain initial access to victims’ networks the Kimsuky APT uses various spear phishing and social engineering techniques often posing as South Korean reporters or using topics of interest to targets such as COVID-19, the North Korean nuclear program, or media interviews.
The report notes that the Kimsuky hackers deploy several spear-phishing techniques to obtain credentials and other information from potential victims. They use stolen web hosting usernames and passwords to inject malicious scripts into websites or to create spoofed versions of Google Gmail or Yahoo email domains.
“Kimsuky’s other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions,” the alert said.
Upon obtaining initial access, the Kimsuky group deploys the BabyShark malware and PowerShell or the Windows Command Shell for execution. BabyShark is a Visual Basic Script-based malware used for data exfiltration.
The report notes that Kimsuky uses well-known techniques to elevate privileges on the system, such as placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in explorer.exe.
“Kimsuky has demonstrated the ability to establish persistence through using malicious browser extensions, modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions,” according to the report.
Kimsuky has been observed using well-known methods for defense evasion, including disabling security tools, deleting files and using Metasploit. As for command and control operations, the APT has been seen using a modified TeamViewer client for C2 communications, although the group’s preferred method for sending or receiving exfiltrated information is through email, with their malware on the victim machine encrypting the data before sending it to a C2 server, the alert said.