North Korea-Linked APT Group Kimsuky spotted using new malware

North Korea-linked APT group Kimsuky was recently spotted using a new piece of malware in attacks on government agencies and human rights activists.

North Korea-linked cyber espionage group Kimsuky (aka Black Banshee, Thallium, Velvet Chollima) was recently observed using a new malware in attacks aimed at government agencies and human rights activists.

The Kimsuky APT group has been analyzed by several security teams, it was first spotted by Kaspersky researcher in 2013, recently its activity was detailed by ESTsecurity and by the team of researchers at my former company Cybaze ZLab.

At the end of October, the US-CERT published a report on Kimusky’s recent activities that provided information of their TTPs and infrastructure.

The APT group mainly targeting think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

Researchers at Cybereason’s Nocturnus team published a new report that includes details on two new pieces of malware associated with the North-Korea linked APT, modular spyware called KGH_SPY and a downloader called CSPY Downloader. Experts also identified a new server infrastructure used by the cyberspies that overlaps with previously identified Kimsuky infrastructure.

“Kimsuky is known for their complex infrastructure that uses free-registered domains, compromised domains, as well as private domains registered by the group.” reads the report published by Cybereason. “Tracking down the infrastructure, the Nocturnus team was able to detect overlaps with BabyShark malware and other connections to different malware such as AppleSeed backdoor”

KGH_SPY is a modular suite of tools that allows attackers to perform reconnaissance, keylogging, information stealing and implements backdoor capabilities

CSPY Downloader is a tool designed to evade analysis and acts as a downloader to deliver additional payloads.

The new malware appears to have been developed recently, but threat actors might have used Backdating, or timestomping to thwart analysis attempts (anti-forensics). The researchers believe that attackers have tampered with the creation date of most of the files employed in the attacks and backdated them to 2016.

The Kimsuky APT group delivered the malware via weaponized documents, the final goal was cyber espionage, the KGH-Browser Stealer was able to exfiltrate stored data from Chrome, Edge, Firefox, Thunderbird, Opera, Winscp. 

The CSPY Downloader implements anti-analysis techniques, it is able to determine whether it is running in a virtual environment or a debugger is used.

“The threat actors invested efforts in order to remain under the radar, by employing various anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques. At the time of writing this report, some of the samples mentioned in the report are still not detected by any AV vendor,” the Nocturnus team concludes. “While the identity of the victims of this campaign remains unclear, there are clues that can suggest that the infrastructure targeted organizations dealing with human rights violations.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Kimsuky APT)

[adrotate banner=”5″]

[adrotate banner=”13″]