Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia

Kimsuky Group Tied to Malware Attacks on South Korean Firms

Hackers 'Water-Holed' Local Security Software Download Site to Distribute Malware
Kimsuky Group Tied to Malware Attacks on South Korean Firms
Students at a computer learning course in Pyongyang, North Korea (Image: Shutterstock)

North Korean cybercrime group Kimsuky is likely behind the malware campaign that targeted South Korean organizations to gain access to confidential data.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

South Korean cybersecurity company S2W said the North Korean cyberespionage group attempted to infect computers with information-stealer malware by placing a malicious installation package in a web page that redirected to a site to download a security program.

The malware campaign targeted individuals and organizations that use products and services offered by Seoul-based security company SGA Solutions, which offers system, cloud and endpoint security services to South Korean organizations.

According to the researchers, the hackers disguised the malicious installation as the TrustPKI installer for the SGA solution. When downloaded and executed, the installer dropped info-stealer malware, which S2W tracks as Troll Stealer, and another backdoor that executes commands received from a command-and-control server.

Troll Stealer malware, written in the Go programming language, is signed with a legitimate "D2innovation Co.,LTD" certificate to evade detection. The malware steals system information and sends it to the C2 server when executed.

Information accessed by Troll Stealer includes C drive files and directories, screen captures and information stored in the file transfer software FileZilla and Microsoft Sticky Note. The researchers said that the malware used HackBrowserData, an open-source program written in Go language, to steal data from Chromium-based browsers and Firefox browsers.

Troll Stealer also can steal cookies, history, downloads and extensions from browsers and save them as JSON files in the browser directory before sending the information to the C2 server. The malware also uses a combination of RC4 and RSA-4096 algorithms to encrypt stolen data before sending it to the C2 server.

The researchers said that the malware also could access and exfiltrate the GPKI folder on infected systems, which indicates that the hackers used it to primarily target government organizations. Government and public organizations use GKPI, also known as an administrative electronic signature certificate, to verify the authenticity of administrative electronic signatures.

S2W attributed the malware campaign to the North Korean Kimsuky group as Troll Stealer shares "nearly identical commands for collecting system information in the AppleSeed malware and the same RC4 + RSA combination for file encryption used by the AlphaSeed malware." The Kimsuky group previously has used the two malware variants in cyberespionage campaigns.

South Korea's Gyeonggi Nambu Provincial Police Agency said in August last year that the Kimsuky group had targeted a joint exercise between U.S. and South Korean military forces in an attempt to access information on the military maneuvers (see: North Korea's Kimsuky Group Targeted US-Korean Drills).

The researchers said that the backdoor malware deployed in the January campaign is similar to Kimsuky's BetaSeed malware. Both malware variants steal information from compromised systems and perform additional malicious actions based on the commands they receive from the C2 server.

Prior to this campaign, the Kimsuky Group's malware samples had never been observed hijacking GPKI files, which indicates that the group may have switched tactics to sharpen its attacks. "The Kimsuky group has no known history of hijacking GPKI folders or utilizing the SOCKS5 protocol in the past, so it is possible that they have set new targets, or that another group with access to the source code for AppleSeed/AlphaSeed created Troll Stealer and GoBear," the researchers said.

North Korean hackers recently have tested innovative tactics to breach or to spy on South Korean organizations amid worsening ties between the two countries. South Korea's intelligence agency reported in January that North Korean hackers had used generative AI technology to conduct sophisticated cyberattacks and identify hacking targets (see: North Korean Hackers Using AI in Advanced Cyberattacks).

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.