Nearly 10 years since Kaspersky experts unmasked an active cyberespionage campaign primarily targeting South Korean think tanks, the state-sponsored group known as “Kimsuky” continues to show prolific updating of tools and tactics to victimize North Korea-related entities.
Kaspersky’s senior expert revealed more of his findings about Kimsuky during the global cybersecurity company’s 8th Cyber Security Weekend where he answered the question: “What if we can have another dimension of cyberattacks?” Among his latest discoveries is the possibility of this Advanced Persistent Threat (APT) threat actor expanding its operations with its abundant capabilities.
Kimsuky, also known as Thallium, Black Banshee, and Velvet Chollima, has been on Kaspersky’s radar since 2013 and it is known to update its tools very quickly to hide its infrastructure and make it harder for security researchers and auto-analysis systems to acquire payloads.
Seongsu Park, lead security researcher for Global Research and Analysis Team (GReAT) at Kaspersky, found that the notorious group has continuously configured multi-stage command and control servers (C2) with various commercial hosting services located around the world.
A command and control server is a server that helps a threat actor control their malware and send malicious commands to its members, regulate spyware, send payload, and more.
“From less than 100 C2 servers in 2019, Kimsuky now has 603 malicious command centers as of July this year which clearly suggests that the threat actor is posed to launch more attacks, possibly beyond the Korean peninsula. Its history suggests that government agencies, diplomatic entities, media, and even cryptocurrency businesses in APAC should be on high alert against this stealthy threat,” says Park.
Kimsuky’s GoldDragon cluster
The skyrocketing number of C2 servers is part of Kimsuky’s continuous operations in APAC and beyond. In early 2022, Kaspersky’s team of experts observed another wave of attacks targeting journalists and diplomatic and academic entities in South Korea.
Dubbed as the “GoldDragon” cluster, the threat actor initiated the infection chain by sending a spear phishing email containing a macro-embedded Word document. Various examples of different Word documents used for this new attack were uncovered, each showing different decoy contents related to geopolitical issues in the Korean Peninsula.
Further analysis allowed Park to discover server-side scripts related to the GoldDragon cluster, which allowed the experts to map the group’s C2 operation.
The actor sends a spear-phishing email to the potential victim to download additional documents. If the victim clicks the link, it results in a connection to the first stage C2 server, with an email address as a parameter.
The first stage C2 server verifies the incoming email address parameter is an expected one and delivers the malicious document if it’s in the target list. The first stage script also forwards the victim’s IP address to the next stage server. When the fetched document is opened, it connects to the second C2 server.
The corresponding script on the second C2 server checks the IP address forwarded from the first stage server to check if it’s an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not.
On top of that, the operator relies on several other processes to carefully deliver the next payload such as checking OS type and predefined user-agent strings.
Another notable technique Kimsuky utilizes is the use of the verification process of the client to confirm its relevant victim they want to compromise. Kaspersky experts even saw contents of decoy documents having various topics including the agenda of the “2022 Asian Leadership Conference,” a form of honorarium request, and an Australian diplomat’s curriculum vitae.
“We’ve seen that the Kimsuky group continuously evolves malware infection schemes and adopts novel techniques to hinder analysis,” Park said. “The difficulty in tracking this group is that it’s tough to acquire a full-infection chain. As we can see from this research, most recently, threat actors adopt victim verification methodology in their command and control servers. Despite the difficulty of getting server-side objects, if we analyze an attacker’s server and malware from the victim’s side, we can fully understand how the threat actors operate their infrastructure and what kind of techniques they employ.”
To protect systems and networks from Kimsuky’s clandestine tactics and techniques, Kaspersky experts suggest:
Full-context-based defense is the key
- Hit-and-run style defense never works
- Security teams and experts need to understand the full context of threats; it is advisable to have services that provide in-depth and real-time reports and analysis like Kaspersky Threat Intelligence Portal
- Diversify defense points
Cooperation with other industry
- Each sector has different sets of strengths and expertise
- Cooperation is essential to understand the multi-dimension of cyber threats in turn allowing better strategies against them