Kimsuky APT group is one of North Korea’s threat actors that has primarily targeted South Korean government entities. Read on to know more about it…
As it continues to launch espionage attacks, North Korean APT group Kimsuky, also known as Thallium, Black Banshee, and Velvet Chollim, has been discovered adopting new Tactics, Techniques, and Procedures (TTPs). According to researchers, the notorious gang has gone far beyond its traditional strategies of using social engineering, spear-phishing, and watering hole attacks to target its victims.
Kimsuky’s Activities
The Korean Internet & Security Agency (KISA) published a detailed analysis of the TTPs employed by Kimsuky APT to target South Korean government agencies in December 2020. Malwarebytes began monitoring the activities after following the report’s trails and discovered several phishing websites, documents documents, and scripts.
The Ministry of Foreign Affairs, the Trade Minister, the Deputy Consul General at the Korean Consulate General, the International Atomic Energy Agency (IAEA), and the Ambassador of the Sri Lankan Embassy to the United States were among the targets. Apart from them, the attacks targeted well-known universities, such as Seoul National University, as well as companies, such as Daishin.
The Kimsuky APT Group had devised various phishing strategies to imitate Gmail, Hotmail, Microsoft Outlook, Nate, Daum, Naver, and Telegram, among others, in order to launch these attacks. Kimsuky did an extensive research on Twitter before to launching these attacks. This allowed the group to construct well-crafted spear-phishing emails that resulted in the AppleSeed backdoor being downloaded.
Additional Insights
Another set of researchers looking into the threat actor’s activities has discovered that the group is divided into two sub-groups. The sub-groups, known as CloudDragon and KimDragon, differ from one another in terms of their targets, malware employed, and infrastructure.
However, both the sub-groups have South Korea as their principal target, in addition to the United States. Both the sub-groups have carried out attacks on government agencies, educational institutions, and research facilities. Furthermore, CloudDragon has adopted a new phishing tactic that allows attackers to auto-update content on fraudulent websites that appear to be authentic.
Phishing Methods
In terms of capability, the Kimsuky APT gang can put up phishing infrastructure to imitate well-known websites in order to trick victims into entering their credentials. This is one of the key tactics this threat actor employs to gather email addresses that will subsequently be utilised to send spearphishing emails. The Kimsuky APT group is still employing the same phishing models as those mentioned in the KISA report, with a few minor variations.
For instance, they’ve added the Mobile_detect and Anti_IPs modules from type B to type C (KISA report) so that they may detect mobile devices and adapt the view accordingly. Based on the parameter value received from the phishing email, this phishing model can display phishing pages in English or Korean. Kimsuky has used this strategy to target not only Korean-speaking victims, but also English-speaking people.
Conclusion Words
Kimsuky is one of North Korean threat actors who has primarily targeted government entities in South Korea.
According to the research, the Kimsuky APT gang is still employing the same infrastructure and TTPs as disclosed by KISA in December 2020. Its most recent attack, which used the Apple Seed backdoor, targeted the Ministry of Foreign Affairs.
Actually, Kimsuky is not a new group, but it has adopted new ways to further its intelligence-gathering purpose. The threat group’s adoption of supply chain attacks, cross-platform attacks, and new modifications in phishing campaign shows that it is here to stay for a long time.