North Korea’s Reconnaissance General Bureau (RGB) directs Kimsuky, a cyber espionage actor targeting entities relevant to the DPRK. Despite moderate technical skills, Kimsuky leverages social engineering with elaborate personas to phish victims for credentials and mailbox access.
Kimsuky, a threat actor known for elaborate social engineering, uses email with DMARC spoofing to bypass security and build trust through their backstories and normal communication patterns before sending phishing emails.
Phishing emails may contain password-protected attachments hosted publicly or on Kimsuky infrastructure. The group even leverages a custom phishing tool with advanced features for scalable attacks.
The group uses social engineering tactics with lures relevant to the targets’ work or personal lives, including topics like payments, crypto regulations, or job descriptions. In a campaign targeting the South Korean Embassy in China, Kimsuky sent a password-protected archive containing a malicious LNK file disguised as a Hangul word processor file.
This LNK file downloaded the next stage malware from public cloud storage and executed it in memory after decryption, which had a unique multiline string in the description field and a leading space in the arguments field, which are potential indicators of Kimsuky attacks.
Rapid7 discovered that Kimsuky, a threat actor group, is using LNK files (shortcut files) to deliver malware, which download the next stage payload from Dropbox and execute it in memory after decryption.
Researchers observed several techniques used by Kimsuky to bypass security measures, including in-memory execution, obfuscation with PowerShell, leading spaces in arguments, and logical OR with junk strings.
The group has been using new techniques to deliver malicious payloads by using CHM (Compiled HTML Help) files, which can contain and execute HTML and JavaScript code, and .msc files, which can be used to create and open administrative consoles.
These files can be disguised as lure documents to trick users into opening them. When a CHM or .msc file is opened, it can execute malicious code, such as downloading and installing malware or stealing data.
Kimsuky APT Group leverages scripting languages like PowerShell, VBScript, and JavaScript for malicious activities by using these scripts in conjunction with LNK and CHM files for initial execution.
The scripts can download additional payloads (e.g., XeroRAT) from cloud storage and establish persistence through scheduled tasks, while Kimsuky also employs obfuscation techniques like double base64 encoding and readily available tools (certutil) to bypass security measures.
It employs various malware for credential theft and mail access by using PowerShell scripts, information stealers, and custom tools like BabyShark (VBScript) and AppleSeed (backdoor).
Recently, they’ve shifted to Golang-based malware like AlphaSeed, which utilizes the Chrome DevTools Protocol for communication. Persistence is achieved through common techniques like scheduled tasks and system binary execution.
Their infrastructure leverages reused IPs, lookalike domains, and free certificates, which suggests active development and potential collaboration within the DPRK hacking scene.