How 'Kimsuky' hackers ensure their malware only reach valid targets

guest · Sep 3, 2022

By Bill Toulas @billtoulas - August 25, 2022

The North Korean 'Kimsuky' threat actors are going to great lengths to ensure that their malicious payloads are only downloaded by valid targets and not on the systems of security researchers.

According to a Kaspersky report published today, the threat group has been employing new techniques to filter out invalid download requests since the start of 2022, when the group launched a new campaign against various targets in the Korean peninsula.
Click to expand...

The new safeguards implemented by Kimsuky are so effective that Kaspersky reports an inability to acquire the final payloads even after they are successfully connected to the threat actor’s command and control server.
A multi-stage validation scheme
The attacks spotted by Kaspersky begin with a phishing email sent to politicians, diplomats, university professors, and journalists in North and South Korea.
Click to expand...

The emails contain a link that takes victims to a first-stage C2 server that checks and verifies a few parameters before delivering a malicious document. If the visitor doesn’t match the list of targets, they are served an innocuous document.

The document dropped by the first-stage C2 contains a malicious macro that connects the victim to the second-stage C2, fetches the next-stage payload, and runs it with the mshta.exe process.
The next payload is a VBS file that can take the victim to a legitimate blog or, if they’re valid targets, take them to the next payload-download phase.

“Interestingly, this C2 script generates a blog address based on the victim’s IP address. After calculating the MD5 hash of the victim’s IP address, it cuts off the last 20 characters and turns it into a blog address,” details Kaspersky.
Click to expand...

Kaspersky: Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. Like other sophisticated adversaries, this group also updates its tools very quickly. In early 2022, we observed this group was attacking the media and a think-tank in South Korea and reported technical details to our threat intelligence customer.
Click to expand...

While researching Kimsuky’s novel infection chain, grouped as a GoldDragon cluster, we are faced with several limitations:

It’s not easy to acquire the next stage payloads during analysis of a multi-stage infection.

Even if we connect to the C2 server to acquire the payload, it’s hard to get a relevant response.

It’s not easy to figure out the connection between each object.

The Kimsuky group configured multi-stage command and control servers with various commercial hosting services located around the world.
Click to expand...

Minimalist · Aug 26, 2022

There's probably some code displayed in text on that site, since ESET blocks access to it:

Krusty · Aug 26, 2022

Minimalist said: ↑

There's probably some code displayed in text on that site, since ESET blocks access to it:

View attachment 273207
Click to expand...

Kaspersky doesn't, or maybe uBO blocks it.

Minimalist · Aug 26, 2022

Krusty said: ↑

Kaspersky doesn't, or maybe uBO blocks it.
Click to expand...

In my case Eset blocks it, not uBlock Origin.
It's probably just a detection of malicious code if it's posted in text. It would be better to post code as an image to avoid similar problems.

Krusty · Aug 26, 2022

Yeah, it does appear to be posted as text.

Log in or Sign up

How 'Kimsuky' hackers ensure their malware only reach valid targets

guest Guest

Minimalist Registered Member

Krusty Registered Member

Minimalist Registered Member

Krusty Registered Member

Log in or Sign up

How 'Kimsuky' hackers ensure their malware only reach valid targets

guest Guest

Minimalist Registered Member

Krusty Registered Member

Minimalist Registered Member

Krusty Registered Member

Useful Searches