Kimsuky Hackers from North Korea Use New Tactics and Malicious Scripts in Latest Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as “Black Banshee,” has been observed employing new tactics and malicious scripts in their latest cyber espionage campaigns.

Active since at least 2012, Kimsuky has been targeting countries such as South Korea, Japan, and the United States.

Sophisticated Infection Chain and Payload Analysis

Recent analysis of Kimsuky’s attack vectors reveals a complex infection chain involving multiple components.

The initial payload, delivered via a ZIP file, contains four key elements: a VBScript, a PowerShell script, and two encoded text files.

The VBScript employs obfuscation techniques using chr() and CLng() functions to dynamically generate characters and execute commands, effectively bypassing signature-based detection methods.

The PowerShell script (1.ps1) plays a crucial role in the attack by decoding base64-encoded data from the 1.log file and executing it.

This script collects the BIOS serial number of the compromised system, creating a unique directory within the temp folder for storing attack-related files.

Notably, the malware includes VM-aware capabilities, terminating its execution if it detects a virtual machine environment.

Advanced Functionalities and Data Exfiltration Techniques

The core of the attack lies in 11 functions outlined in the PowerShell script.

These functions enable various malicious activities, including data exfiltration, cryptocurrency wallet information theft, and Command-and-Control (C2) communication.

The malware demonstrates sophisticated capabilities such as uploading exfiltrated data in 1MB chunks, decrypting browser data from popular browsers like Edge, Firefox, Chrome, and Naver Whale, and targeting specific crypto wallet extensions.

Furthermore, the malware collects extensive system information, including hardware details, installed programs, and network adapter status.

It also implements persistence mechanisms and performs thorough file searches across all drives for specific extensions and name patterns.

Keylogging and Clipboard Monitoring

In addition to data theft, the malware incorporates advanced keylogging functionality.

The “2.log” file, when decoded and executed, reveals a script that imports Windows API functions for detecting key presses, monitoring clipboard activity, and logging window titles.

This component significantly enhances the attacker’s ability to capture sensitive user input and monitor victim activities in real-time.

The Kimsuky group’s evolving tactics and use of multi-component, time-consuming techniques demonstrate their commitment to evading detection and conducting thorough reconnaissance.

As these threats continue to evolve, implementing robust security measures and using reputable security products remains crucial for protecting against such sophisticated cyber espionage campaigns.

Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates