The North Korean state-sponsored hacking group known as Kimusky has been implicated in a recent series of cyberattacks targeting political and diplomatic organizations within South Korea. This activity, which began in early 2022, has raised alarms in the cybersecurity community about the sophisticated tactics employed by the group.
Kaspersky, a prominent Russian cybersecurity firm, has designated this group’s operations under the codename GoldDragon. Through intricate infection chains, Kimusky has deployed malware capable of harvesting sensitive user data, including keystrokes and web browser login credentials. The potential targets of these attacks include South Korean university professors, researchers from various think tanks, and government officials, underscoring the group’s strategic focus on gathering intelligence.
Kimusky is also recognized by its aliases, including Black Banshee and Thallium. Operating since at least 2012, the group has built a reputation for its methodical approach to cyber espionage, primarily directed at South Korea, where the regime seeks crucial intelligence across diverse subjects. Historically, Kimusky has leveraged social engineering techniques, such as spear phishing and watering hole attacks, to collect desired information.
In a recent development, cybersecurity firm Volexity reported that a mission attributed to Kimusky was aimed at extracting email contents from platforms like Gmail and AOL using a malicious Chrome extension identified as Sharpext. This operation highlights the group’s persistent drive to evolve its methods in pursuit of sensitive data.
Recent campaigns have seen Kimusky employing spear-phishing tactics that involve sending emails containing Microsoft Word documents with embedded macros. These documents are designed to appear related to pressing geopolitical issues, thus enticing targets to open them. Alternative methods for gaining initial access have also been identified, including the use of HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys to compromise systems.
Following the initial breach, Kimusky’s malware typically drops Visual Basic Scripts from a remote server with the aim of fingerprinting the victim’s machine and retrieving additional payloads, including executables that exfiltrate sensitive information. A particularly novel aspect of their approach involves sending the victim’s email address to the command-and-control server when a malicious link is clicked. If the email address is not as expected, a benign document is returned, enhancing the ruse.
The subsequent stages of the attack utilize a two-stage command-and-control approach. The first server captures the victim’s IP address, which is then used in conjunction with the opening of the lure document to verify the target’s intent. This verification process indicates a highly tailored method of engagement, designed to minimize detection while maximizing the success rate of the infection.
Kaspersky researcher Seongsu Park emphasized the continuous evolution of Kimusky’s malware strategies, remarking on the ongoing challenge of fully tracking their infection chains. This adaptability complicates the ability of cybersecurity professionals to mount effective defenses.
In conclusion, the recent activities of Kimusky highlight significant threats to political and diplomatic entities in South Korea, utilizing advanced phishing tactics and malware designed to exfiltrate sensitive information. Maintaining awareness of these evolving cybercrime methods is crucial for organizations aiming to fortify their defenses against increasingly sophisticated attacks.
