Kimsuky is another hacker group believed to be operating on behalf of the North Korean regime. The group, tracked by security researchers as TA406 (Proofpoint), Velvet Chollima (CrowdStrike), Thallium (Microsoft), Black Banshee (PwC), ITG16 (IBM), and the Konni Group (Cisco Talos), has been active since 2012, and has a long history of offensive operations targeting South Korean think tanks, industry, and nuclear power operators. However, over the past few years the threat actor appears to have expanded its operation to include more countries, such as the US, Russia, European countries, and Japan.

Kimsuky, which is currently one the most active APT groups, is known for its attacks on entities in government and private sectors, including UN Security Council, South Korean ministries, institutes and military, various human rights groups and think tanks, government research institutes, journalists covering Korean Peninsula relations, and more recently, pharmaceutical and research companies working on COVID-19 vaccines and therapies. In December 2020, The Wall Street Journal reported that Kimsuky was behind the cyberattacks against at least half a dozen pharmaceutical firms involved in the development of coronavirus vaccines and treatments.

Experts believe that the group’s main goal is cyber-espionage, but Kimsuky has also been observed conducting cyberattacks for financial gain. In their attacks the Kimsuky hackers employ various tactics and techniques to collect information from their victims, including common social engineering methods, spear phishing (involves emails containing Word, Excel, and/or Hangul Word Processor documents), watering hole attacks, and malware distribution via torrent sharing sites and malicious browser extensions.

The group has also been observed using Visual Basic Script (VBS)-based malware BabyShark, PowerShell scripts or Windows Command Shell to run executables. Kimsuky establishes persistence on victim systems through a variety of methods, such as the use malicious browser extensions, or by modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application.

Kimsuky’s phishing infrastructure consists of numerous websites disguised as popular email clients or messaging apps like Gmail and Outlook, and Telegram. These phishing sites then trick victims into providing their credentials.

The threat actor uses well-known techniques for privilege escalation, like placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in explorer.exe.

In order to remain unnoticed, Kimsuky employs various anti-forensics and anti-analysis techniques, such as disabling security tools, deleting files, using Metasploit, backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques.

The group also utilizes a vast array of tools in their campaigns, including legitimate tools and network sniffers to harvest credentials from web browsers, keyloggers (one of these is a PowerShell-based keylogger, dubbed “Mechanical”), modified versions of legitimate software (such as TeamViewer), a macOS Python implant that can collect data from macOS systems and send it to the attackers’ command and control server. In 2020, security researchers at Cybereason discovered and detailed a new set of malicious tools tied to the Kimsuky group. One of these is a previously undocumented modular spyware suite dubbed KGH_SPY that provides Kimsuky with stealth capabilities to carry out espionage operations, and the second tool is a new malware strain named “CSPY Downloader,” a sophisticated malware with extensive anti-analysis and evasion capabilities.

As with other APT groups that operate under a big umbrella, Kimsuky includes several clusters: BabyShark, AppleSeed (JamBog), FlowerPower, and GoldDragon, with each of them using different methodologies.

According to Kaspersky, BabyShark heavily relies on scripted malware and compromised web servers for C2 operations, AppleSeed uses a unique, powerful backdoor named AppleSeed, while FlowerPower utilizes PowerShell scripts and malicious Microsoft Office documents. GoldDragon is the oldest cluster, closest to the original Kimsuky malware.