The North Korean state-sponsored APT group Kimsuky, known for its espionage targeting South Korea, the US, and other nations, has evolved its tactics.
Initially employing basic social engineering and malware, Kimsuky now leverages a combination of open-source tools like xRAT for initial access and custom backdoors like Gold Dragon for persistence and data exfiltration.
It has conducted numerous cyberespionage operations targeting critical sectors, as in 2024, their DEEP#GOSU campaign leveraged multi-stage attacks, deploying PowerShell and VBScript for initial compromise.
Subsequent payloads, downloaded from cloud services, included remote access trojans like TruRat, enabling keylogging, clipboard monitoring, and data exfiltration.
The group has also targeted U.S. defense contractors, compromising sensitive military information through spear-phishing and deploying malware like RandomQuery and xRAT.
Their activities extend to other defense-related entities, as demonstrated by the 2024 breach of Diehl Defence, highlighting their persistent pursuit of sensitive military technologies and strategies.
Kimsuky, a North Korean threat actor, leverages spear phishing emails with malicious attachments (T1566.001) for initial access, as they employ Batch scripting (T1059.004) and PowerShell (T1059.001) to execute commands and maintain persistence.
It uses compromised email accounts and servers to bypass security checks and appear credible, which includes exploiting misconfigured DNS DMARC policies and utilizing legitimate tools like PHPMailer and Star.
For persistence, they create VBScripts to gather system information and exfiltrate it to a C2 server, ensuring execution by adding the script’s path to the Windows Registry Run key (T1547.001), which allows their payloads to run stealthily each time the user logs in, maintaining control of the infected system.
They exploit vulnerabilities in legitimate software like Win7Elevate to gain elevated access and use obfuscation techniques and tools like certutil to hide malicious code.
It also uses ProcDump to steal credentials and a malicious Chrome extension to steal passwords and cookies. Once inside a network, Kimsuky uses tools like systeminfo, tasklist, and dir to gather information about the target environment.
By using a PowerShell-based keylogger named MECHANICAL and network sniffing tools, they harvest credentials and use modified versions of PHProxy to act as a web proxy, intercepting and analyzing traffic between the victim and accessed websites.
For remote access, Kimsuky uses a modified version of the TeamViewer client and uses techniques like disabling firewalls and modifying registry keys to establish persistence and maintain control over compromised systems.
According to Picus Security, it uses various exfiltration techniques, including sending data through email, archiving collected data, email forwarding rules, encrypted channels, and local data staging.
To mitigate these threats, organizations should implement robust email security measures, including advanced filtering and employee training. Network segmentation and continuous monitoring can limit lateral movement and enable rapid response to intrusions.
Regular software updates and patch management are crucial to closing vulnerabilities exploited by Kimsuky, while advanced endpoint protection solutions, incorporating behavioral analysis and machine learning, can detect and block malicious activities on endpoints.