Recent developments have revealed that a North Korean state-sponsored hacking group, known as Kimsuky, has enhanced its repertoire of spyware tools. This scrutiny follows a US government advisory, highlighting their ongoing “global intelligence gathering mission.” Kimsuky, also referred to as Black Banshee or Thallium, is believed to have been operational since at least 2012 and has now been linked to three previously undocumented malware variants.
According to researchers at Cybereason, this advanced persistent threat (APT) group has a well-documented history of offensive cyber operations worldwide, specifically targeting South Korean think tanks. However, its scope has dramatically widened in recent years, now affecting various entities in the United States, Russia, and multiple European countries. An analysis of Kimsuky’s tactics, techniques, and procedures (TTPs) was jointly issued last week by the FBI and the Departments of Defense and Homeland Security, providing a closer look at their operations.
The group reportedly employs spear-phishing campaigns and social engineering tactics to infiltrate victim networks. Their targets include experts across various fields, think tanks, the cryptocurrency sector, and governmental organizations in South Korea. Notably, Kimsuky has masqueraded as South Korean journalists, using this guise to disseminate emails containing BabyShark malware, illustrating their sophisticated deception techniques.
The recent attribution of multiple campaigns to Kimsuky also revealed their use of coronavirus-themed email lures. These emails typically contain malicious Word documents designed to establish initial access into targeted machines, thereby facilitating malware attacks. Kimsuky’s operations concentrate on gathering intelligence related to foreign policy issues, national security matters concerning the Korean Peninsula, nuclear policy, and international sanctions, as noted by the Cybersecurity and Infrastructure Security Agency (CISA).
Recent insights from Cybereason indicate that the group has developed a modular spyware suite named KGH_SPY. This advanced tool enables Kimsuky to conduct reconnaissance on target networks, capture keystrokes, and extract sensitive data. The KGH_SPY backdoor is capable of downloading secondary payloads from command-and-control servers, executing arbitrary commands via cmd.exe or PowerShell, and collecting credentials from various applications, including browsers and email clients.
Additionally, a new malware variant termed “CSPY Downloader” has emerged, designed to complicate analysis and facilitate the downloading of additional payloads. Researchers have also identified a new infrastructure related to Kimsuky that overlaps with their earlier BabyShark malware campaigns targeting US-based think tanks. This evolving toolkit highlights the group’s commitment to enhanced stealth, employing anti-forensics and anti-analysis techniques, such as code obfuscation and backdating of malware samples to evade detection.
While the specific identities of Kimsuky’s victims remain largely undisclosed, there are indicators suggesting that their targets may involve organizations focused on human rights issues. This latest information reinforces the need for vigilance among businesses and organizations that may be vulnerable to sophisticated cyber threats, particularly from state-sponsored actors.
