Pierluigi Paganini
February 08, 2025
Researchers from AhnLab Security Intelligence Center (ASEC) observed North Korea’s Kimsuky APT group conducting spear-phishing attacks to deliver forceCopy info-stealer malware.
Kimsuky cyberespionage group (aka ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researchers in 2013. The group works under the control of the Reconnaissance General Bureau (RGB) foreign intelligence service. At the end of October 2020, the US-CERT published a report on Kimusky’s recent activities that provided information on their TTPs and infrastructure.
The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.
According to the ASEC’s report, the state-sponsored hackers send spear-phishing messages to distribute malicious *.LNK shortcut files, disguised as Office documents. When opened, they execute PowerShell or Mshta to download malware like PebbleDash and RDP Wrapper, to control the infected systems.
The attackers use a custom-built RDP Wrapper to enable remote desktop access, likely modifying export functions to evade detection.
The researchers noticed that the threat actors also install proxy malware to achieve external access to the infected systems that are located in a private network.
The Kimsuky group uses keyloggers in multiple file formats, including PowerShell script.
Kimsuky also use the forceCopy stealer malware to capture keystrokes and extract files from browser directories.
“The Kimsuky group used a tool that extracts only the key value from the “Local State” file instead of directly stealing credentials stored in the web browser. This is presumed to be for bypassing security products, and the extracted key is used later in the process of stealing credentials stored in the web browser.” reads the report published by ASEC. “The recently discovered type is installed under the name “forceCopy” and is used to copy files. It receives the path of the file to be copied as the first argument and the path where the file will be saved as the second argument. A characteristic of this malware is that it uses the NTFS Parser library to read files instead of APIs like ReadFile().”
The researchers also discovered the use of Injector and Loader malware, with the Loader loading files into memory and the Injector targeting processes. ASEC also identified obfuscated ReflectiveLoader scripts used by threat actors.
“In 2024, the attack methods of the Kimsuky group changed. While the use of LNK malware in spear-phishing attacks during the initial breach remained the same, the group began to increasingly use tools such as RDP Wrapper and Proxy to remotely control the infected systems instead of installing backdoors.” concludes the report. “The Kimsuky threat group is continuously launching spear phishing attacks against Korean users. They mainly distribute malware disguised as a document file attached to an email, and if a user executes this file, threat actors can take control of the system.”
Users are recommended to carefully check the email sender and refrain from opening files from unknown sources. Users should also keep their systems and applications updated.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)
