Additional Hacking Tools Tied to North Korea-Linked GroupKimsuky Group Employs Fresh Spying Tools, Infrastructure, Cybereason Reports
Researchers with security firm Cybereason have uncovered a fresh set of malicious tools tied to a North Korean-linked hacking group called Kimsuky, according to an analysis published Monday.
The Kimsuky-linked tools include a modular spyware suite called "KGH_SPY," a malware downloader dubbed "CSPY Downloader," as well as additional infrastructure that overlaps with a previous campaign that targeted a U.S. think tank in 2018, according to the Cybereason report.
And while this advanced persistent threat group has been in operation since at least 2012, the Kimsuky hackers were the subject of a joint alert issued by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency late last month that also provided additional details about its activities and motives (see: Sizing Up Activities of North Korea's Kimsuky APT Group).
The Cybereason Nocturnus team believes that Kimsuky has been using these new malicious tools since at least 2019, but Assaf Dahan, senior director and head of threat research, says it's not clear which organizations or countries have been targeted.
"Kimsuky is one of the most industrious hacking groups known to the intel community, so they are always on the radar. We see the group has been very active in 2020 with operations spanning multiple industries and regions," Dahan tells Information Security Media Group. "At this point in time, the location of the victims is unclear. There are, however, some clues that the malware may have already been used to attack government agencies and human rights activists."
For years, Kimsuky has targeted various government agencies with ties to South Korea, but it's also known to victimize organizations in the U.S., Japan, parts of Europe and Russia. The Cybereason report notes the hacking group has recently started to target pharmaceutical and research companies working on COVID-19 vaccines and therapies (see: FBI: Hackers Targeting US COVID-19 Research Facilities).
The Kimsuky group is known for various cyber espionage campaigns designed to collect intelligence concerning foreign policy and national security issues related to the Korean peninsula, as well as nuclear policy and sanction proposals that affect North Korea, according to the joint CISA and FBI alert. The hackers deploy spear-phishing and water-hole tactics to target victims and plant malware on devices.
The first tool uncovered by the Cybereason research team is called KGH_SPY, which is a modular suite of various tools that gives the hacking group several capabilities including reconnaissance, keylogging information stealing, as well as backdoor access to compromised devices, according to the report.
It also appears that the KGH_SPY malware is delivered to targeted victims through phishing emails that typically contain an attached Microsoft Word document. If opened, the Word file enables malicious macros that will install KGH_SPY within a compromised device, according to the report.
The report also notes that these phishing emails contain subject lines and documents that appear to target non-government organizations involved in human rights and North Korea. The title of one Word document is "Interview with a north korean defector.doc," while another appears to be a letter written in English and Japanese that was addressed to Shinzo Abe, the former prime minister of Japan, regarding the subject of human rights in North Korea.
The other new malicious tool, called CSPY Downloader, is designed to avoid detection and act as a downloader for other malware, according to the report.
"[The malware] is packed with robust evasion techniques meant to ensure that the 'coast is clear' and that the malware does not run in a context of a virtual machine or analysis tools before it continues to download secondary payloads," according to the report.
As with KGH_Spay, CSPY is delivered with phishing emails that have a human rights theme, and once installed will connect with a command-and-control server, according to the report. This malware will also use falsified certificates to hide its presence and will masquerade as a legitimate Windows service to avoid security tools.
During its analysis, Cybereason also found that these news tools share some of the same infrastructure, such as IP addresses and various domains, previously used by Kimsuky in other campaigns.
In this case, the infrastructure used by Kimsuky overlaps with another malware variant called BabyShark that targeted a U.S. think tank two years ago, according to a previous report by Palo Alto Networks' Unit 42.
"Newly discovered toolset infrastructure registered between 2019 and 2020 that overlaps with another Kimsuky's malware called BabyShark that was used in the past to target U.S.-based think tanks," according to the report.
Velvet Chollima, Black Banshee, Thallium
The Cybereason report notes that Kimsuky is also called Velvet Chollima, Black Banshee and Thallium by other security researchers. The FBI and CISA joint alert notes that the group appears to have ties to another North Korean hacking group called Hidden Cobra, which is also referred to as the Lazarus Group (see: CISA, FBI Warn of Malware Tied to North Korean Hackers).