New Kimsuky Module Makes North Korean Spyware More Powerful

A week after the US government released a consultation on a worldwide spy mission led by North Korean government shackers, new data emerged about the spying power of a threatening group.

APT, called Kimsuky (also known as Black Banshee or Thallium) and active since 2012, is now associated with three undocumented malware programs, including an information theft program, an anti-malware scanning tool, and a new server infrastructure that significantly overlaps the old spyware infrastructure.

The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but in recent years they have expanded their targets to countries such as the United States, Russia and several European countries, Cybereason researchers said in their analysis yesterday.

Last week, the FBI and the departments of Defence and Homeland Security jointly issued a memo describing Kimsuki’s tactics, methods and procedures (TTP).

Using harpoon fishing and social engineering tricks to gain initial access to the victims’ networks, the APT is known for targeting individuals identified as experts in various fields, think tanks, the crypto-money industry and South Korean government agencies, posing as South Korean journalists to send emails embedded in the BabyShark malware.

In recent months, Kimsuki has been credited with a series of campaigns using coronavirus bait e-mails with armed Word documents as infection carriers to gain a foothold on victims’ computers and launch malware attacks.

Kimsuki focuses its intelligence activities on foreign policy and national security issues related to the Korean Peninsula, nuclear policy and sanctions, according to the Cyber Security and Infrastructure Security Agency (CISA).

Today, according to Cybereason, the killer has acquired new capabilities with a modular spyware program called KGH_SPY that allows him to spy on target networks, intercept keystrokes and steal sensitive information.

In addition, KGH_SPY backdoor can load a secondary payload from the command server (C2), execute random commands via cmd.exe or PowerShell and even collect references from web browsers, Windows Credentials Manager, WINSCP and email clients.

Also worth mentioning is the opening of a new malware called CSPY Downloader, which is designed to prevent the scanning and downloading of additional payloads.

Finally, Cybereason researchers discovered a new toolkit infrastructure registered between 2019 and 2020 that overlaps with the BabyShark malware previously used to combat American think tanks.

Threatening parties have tried to stay on the radar using various anti-criminal and anti-analytical methods. According to the researchers, these include the generation/compilation of malware samples up to 2016, code obfuscation, anti-VM and anti-debugging methods.

Although the identity of the victims of this campaign remains unclear, there are indications that the infrastructure is intended for organisations involved in human rights violations.


Related Tags: