North Korean hackers discovered behind spate of credential theft campaigns


A threatening actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, two of the attacks also attempting to distribute malware that could be used for intelligence gathering.

Corporate security firm Proofpoint has attributed the infiltrations to a group it tracks as TA406, and the broader threat intelligence community as Kimsuky (Kaspersky), Velvet Chollima (CrowdStrike), Thallium (Microsoft), Black Banshee (PwC), ITG16 (IBM)) and the Konni Group (Cisco Talos).

Political experts, journalists and non-governmental organizations (NGOs) have been targeted in weekly campaigns seen between January and June 2021, Proofpoint researchers Darien Huss and Selena Larson have revealed in a technical report detailing the tactics , techniques and procedures (TTP) of the actor. the attacks spread to North America, Russia, China and South Korea.

Known to be operational as early as 2012, Kimsuky has since become one of the most active Advanced Persistent Threats (APT) groups, known to target cyber espionage but also to carry out attacks for profit, targeting government entities, groups reflection, and individuals identified as experts in various fields as well as the gathering of sensitive information regarding foreign policy and national security issues.

GitHub automatic backups

“Like other APT groups that make up a big umbrella, Kimsuky contains several clusters: BabyShark, AppleSeed, Flower Power, and Gold Dragon,” Kaspersky researchers noted in their Q2 2021 APT trend report released last month. . The AppleSeed subgroup is also referred to as TA408.

The group is also known to lure targets with compelling social engineering plans and watering hole attacks before sending them malware-infected payloads or tricking them into submitting sensitive credentials to phishing sites, the US Cybersecurity and Infrastructure Security Agency (CISA) said in an Alert issued in October 2020.

Earlier this month, researchers at Cisco Talos revealed an ongoing Kimsuky campaign since June 2021 that relied on malicious blogs hosted on Google’s Blogger platform to target high-value South Korean targets, including geopolitical and aerospace research agencies, with the aim of providing an “ever-evolving set of implants derived from the Gold Dragon / Brave Prince family” that act as file exfilters, information collectors and thieves credentials for reconnaissance, espionage and the collection of credentials.

“This campaign begins with malicious Microsoft Office documents (maldocs) containing macros delivered to victims,” ​​said researchers at Talos. “The chain of infection causes malware to reach malicious blogs created by attackers. These blogs offer attackers the ability to update malicious content posted on the blog depending on whether or not the victim is of value to the attackers. “

Now, in what appears to be a further escalation of attacks, the threat actor has simultaneously launched near-weekly email threat campaigns using the identity of legitimate political experts, while also presenting themes related to nuclear weapons security, politics and Korean foreign policy, ultimately luring targeted individuals to give up their corporate credentials via a malicious URL embedded in messages that redirect victims to personalized collection pages credentials.

Kimsuky’s phishing campaigns saw a noticeable change in March 2021 when emails moved beyond credential theft to become a medium for malware distribution, coinciding with the North Korean missile tests conducted later. in the month.

Prevent data breaches

The emails included a link that sent the target to a domain controlled by an attacker used to trick targets to download a compressed archive incorporating a binary, which is orchestrated to create a scheduled task that is executed every 15 minutes to install software. additional malware from a remote server. . However, the ultimate motive for the attacks remains unclear as no tracking payload was observed.

Another notable attack in June resulted in the deployment of a downloader (“FatBoy”) using an HTML attachment decoy which was then used to retrieve a next step recognition script capable of collecting “detailed information” on the targeted device. Proofpoint said the two campaigns featured overlaps with attacks previously identified as mounted by the Konni Group.

Other notable tools in its malware arsenal include a Windows keylogger dubbed YoreKey, a number of malicious Android apps hitting cryptocurrency users in South Korea, an obfuscation service named Deioncube to decode files encrypted with ionCube’s source code protection software, and a sextortion scam that tricks recipient emails to transfer an amount worth $ 500 in bitcoin to a valid wallet associated with an NGO based in Korea. South.

“It is not known if the NGO was compromised and if the donation message was placed on their website maliciously, or if there is another explanation,” the researchers said. “As of June 2021, the associated bitcoin wallet had received and sent approximately 3.77 bitcoins.”


Comments are closed.