Nearly 10 years after Kaspersky experts unmasked an active cyber-espionage campaign primarily targeting South Korean think tanks, the state-sponsored group known as Kimsuky continues to show a prolific update tools and tactics.
Kaspersky’s senior expert revealed more of his findings, including the possibility of this advanced persistent threat (APT) actor expanding its operations with its abundant capabilities.
Kimsuky, also known as Thallium, Black Banshee and Velvet Chollima, has been on Kaspersky’s radar since 2013 and is known to update its tools very quickly to hide its infrastructure and make it more difficult to acquire payloads by security researchers and automatic analysis systems.
Seongsu Park, a senior security researcher for the Global Research and Analysis Team (GReAT) at Kaspersky, found that the notorious group has continuously configured tiered command and control (C2) servers with various security services. commercial accommodations located around the world.
A command and control server is a server that helps a hacker control their malware and send malicious commands to their members, regulate spyware, send payloads, etc.
Park says: “From less than 100 C2 servers in 2019, Kimsuky now has 603 malicious command centers as of July this year, which clearly suggests that the threat actor is meant to launch more attacks, perhaps beyond that. of the Korean Peninsula.
“His story suggests that government agencies, diplomatic entities, the media, and even cryptocurrency firms in APAC should be on high alert against this stealthy threat.”
The skyrocketing number of C2 servers is part of Kimsuky’s ongoing operations in APAC and beyond. In early 2022, Kaspersky’s team of experts observed a new wave of attacks targeting journalists and diplomatic and academic entities in South Korea.
Dubbed the GoldDragon cluster, the threat actor initiated the infection chain by sending a spear-phishing email containing a Word document embedded in a macro. Various examples of different Word documents used for this new attack have been discovered, each showing different decoy content related to geopolitical issues on the Korean Peninsula.
Further analysis allowed Park to uncover server-side scripts related to the GoldDragon cluster, which allowed experts to map the group’s C2 operation.
The actor sends a spear-phishing email to the potential victim to upload additional documents. If the victim clicks on the link, this results in a connection to the first stage C2 server, with an email address as a parameter.
The first-stage C2 server verifies that the incoming email address parameter is expected and delivers the malicious document if it is in the target list. The first stage script also passes the victim’s IP address to the next stage server.
When the retrieved document is opened, it connects to the second C2 server. The corresponding script on the second server C2 checks the IP address transmitted by the first stage server to verify if it is an expected request from the same victim.
Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not. In addition to this, the operator relies on several other processes to carefully deliver the next payload, such as checking the OS type and predefined user agent strings.
Park says, “Another notable technique used by Kimsuky is the use of the client verification process to confirm his relevant victim that he wants to compromise. Kaspersky experts have even seen the contents of decoy documents on various topics, including the agenda for the 2022 Asian Leadership Conference, a fee application form, and resumes of Australian diplomats.
“We have seen that the Kimsuky group is continually evolving malware infection patterns and adopting new techniques to hinder analysis. The difficulty in keeping up with this group is that it is difficult to acquire a chain of full infection As we can see from this research, more recently hackers are adopting victim verification methodology in their command and control servers.
“Despite the difficulty of obtaining server-side objects, if we analyze an attacker’s server and malware from the victims’ side, we can fully understand how threat actors exploit their infrastructure and what kind of techniques they use. .”
To protect systems and networks from Kimsuky’s covert tactics and techniques, Kaspersky experts suggest:
- Full context-based defense is key
- Hit-and-run style defense never works
- To understand the full threat landscape, it is advisable to have services that provide in-depth, real-time reporting and analysis.
- Diversify points of defense
- Cooperation with other industries
- Each sector has different sets of strength and expertise
- Cooperation is key to understanding the multidimensionality of cyber threats, thus enabling better strategies against them