A week after the US government issued an advisory about a “global intelligence gathering mission” operated by North Korean state-sponsored hackers, new findings have emerged about the threat group’s spyware capabilities.
The APT — dubbed “Kimsuky” (aka Black Banshee or Thallium) and believed to be active as early as 2012 — has been now linked to as many as three hitherto undocumented malware, including an information stealer, a tool equipped with malware anti-analysis features, and a new server infrastructure with significant overlaps to its older espionage framework.
“The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe,” Cybereason researchers said in an analysis yesterday.
Last week, the FBI and departments of Defense and Homeland Security jointly released a memo detailing Kimsuky’s tactics, techniques, and procedures (TTPs).
Leveraging spear-phishing and social engineering tricks to gain the initial access into victim networks, the APT has been known to specifically target individuals identified as experts in various fields, think tanks, the cryptocurrency industry, and South Korean government entities, in addition to posing as journalists from South Korea to send emails embedded with BabyShark malware.
In recent months, Kimsuky has been attributed to a number of campaigns using coronavirus-themed email lures containing weaponized Word documents as their infection vector to gain a foothold on victim machines and launch malware attacks.
“Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions,” the Cybersecurity and Infrastructure Security Agency (CISA) said.
Now according to Cybereason, the threat actor has acquired new capabilities via a modular spyware suite called “KGH_SPY,” allowing it to carry out reconnaissance of target networks, capture keystrokes, and steal sensitive information.
Besides this, the KGH_SPY backdoor can download secondary payloads from a command-and-control (C2) server, execute arbitrary commands via cmd.exe or PowerShell, and even harvest credentials from web browsers, Windows Credential Manager, WINSCP and mail clients.
Also of note is the discovery of a new malware named “CSPY Downloader” that’s designed to thwart analysis and download additional payloads.
Lastly, Cybereason researchers unearthed a new toolset infrastructure registered between 2019-2020 that overlaps with the group’s BabyShark malware used to previously target US-based think tanks.
“The threat actors invested efforts in order to remain under the radar, by employing various anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques,” the researchers said.
“While the identity of the victims of this campaign remains unclear, there are clues that can suggest that the infrastructure targeted organizations dealing with human rights violations.”