By: Ravie Lakshmanan
The North Korean nation-state group Kimusky has been linked to a new set of malicious activities directed against political and diplomatic entities located in its southern counterpart in early 2022.
Russian cybersecurity firm Kaspersky codenamed the cluster GoldDragon, with the infection chains leading to the deployment of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials.
Included among the potential victims are South Korean university professors, think tank researchers, and government officials.
Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is the name given to a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gain intelligence on various topics of interest to the regime.
Known to be operating since 2012, the group has a history of employing social engineering tactics, spear-phishing, and watering hole attacks to exfiltrate desired information from victims.
Late last month, cybersecurity firm Volexity attributed the actor to an intelligence gathering mission designed to siphon email content from Gmail and AOL via a malicious Chrome browser extension dubbed Sharpext.
The latest campaign follows a similar modus operandi wherein the attack sequence is initiated via spear-phishing messages containing macro-embedded Microsoft Word documents that purportedly feature content related to geopolitical issues in the region.
Alternative initial access routes are also said to take advantage of HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys to compromise the system.
Regardless of the method used, the initial access is followed by dropping a Visual Basic Script from a remote server that’s orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.
What’s novel about the attack is the transmission of the victim’s email address to the command-and-control (C2) server should the recipient click a link in the email to download additional documents. If the request doesn’t contain an expected email address, a benign document is returned.
To further complicate the kill chain, the first-stage C2 server forwards the victim’s IP address to another VBS server, which then compares it with an incoming request that’s generated after the target opens the lure document.
The “victim verification methodology” in the two C2 servers ensures that the VBScript is delivered only when the IP address checks are successful, indicating a highly targeted approach.
“The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis,” Kaspersky researcher Seongsu Park said. “The main difficulty in tracking this group is that it’s tough to acquire a full-infection chain.”