The full picture of Kimsuky operation: Look at the moon, not at the finger

By Dain Oh, The Readable
Aug. 26, 2022 5:26PM ICT

Kaspersky APAC Cybersecurity Weekend Conference 2022 ― Phuket ― A Korean-speaking advanced persistent threat group, Kimsuky, has built its capabilities of carrying out cyber-attacks against almost any target that it considers, a cybersecurity researcher warned Thursday.

“It takes multi-stages to carry out an APT attack, which involves spear phishing emails and Microsoft Word documents in the initial phases,” Lead Security Researcher for the Global Research and Analysis Team at Kaspersky, Seongsu Park, said at the Kaspersky’s APAC Cybersecurity Weekend Conference.

Since 2013, Kimsuky has earned its notorious reputation for primarily targeting think tanks in South Korea and updating tools quickly to hide its infrastructure. The group is allegedly sponsored by the North Korean government, according to the U.S. Cybersecurity and Infrastructure Security Agency. Kimsuky is also known as Thallium, Black Banshee, and Velvet Chollima, while the U.S. government refers to the group as Hidden Cobra.

Seongsu Park, Lead Security Researcher for the Global Research and Analysis Team at Kaspersky, is having an interview with journalists from the APAC region at the Kaspersky’s APAC Cybersecurity Weekend Conference. Photo by Kaspersky

Park described the Kimsuky operation in two dimensions: the malware dimension and the command-and-control (C2) server dimension. A C2 server is an infrastructure for threat actors like Kimsuky to send malicious commands to victims' devices and control their malwares. While the malware dimension is more accessible to cybersecurity researchers, the C2 server dimension is relatively fussy to gain access to because it is strictly controlled by the actors.

“Cooperating with various law enforcement agencies, I was able to draw a full picture of the Kimsuky operation by putting the last puzzle of its C2 server dimension together,” stressed Park. “In order to respond to sophisticated attacks like APT, it is important to understand not only the malware dimension, but also the C2 server dimension.”

Kimsuky's C2 servers, discovered by Kaspersky. Source: Kaspersky

According to his analysis, Kimsuky has built 603 C2 servers from January to July of this year. This number has been increased dramatically. Kimsuky’s C2 servers were fewer than 100 in 2019. In 2020, the number was doubled, reaching over 200, and kept growing until it reached about 600 last year. “[The rising number of C2 servers] clearly suggests that Kimsuky is posed to launch more attacks, possibly beyond the Korean peninsula,” said Park. “Considering its history, government agencies, diplomatic entities, media, and even cryptocurrency businesses in APAC should be on high alert.”

◇ GoldDragon

According to Kaspersky, the skyrocketing number of C2 servers is part of Kimsuky’s continuous operations in APAC and beyond. In early 2022, researchers observed another wave of attacks targeting South Korean journalists and diplomats.

Dubbed as the GoldDragon cluster, Kimsuky initiated the infection chain by sending a spear phishing email that contains a macro-embedded Word document. A variety of documents were used for this new attack, each showing different decoy contents related to geopolitical issues in the Korean Peninsula. As a decoy, the group utilized documents about various topics, such as the 2022 Asian Leadership Conference, an honorarium request, and an Australian diplomat’s curriculum vitae.

Decoy materials used by Kimsuky in the initial infection. Source: Kaspersky

In addition, Park discovered server-side scripts related to the GoldDragon cluster, which allowed him to map the group’s C2 operation. A notable technique employed by Kimsuky is the use of verification processes against the clients. “We have seen that the Kimsuky group continuously evolves malware infection schemes and adopts novel techniques to hinder analysis,” said Park. “The group recently started to adopt victim verification methodology in their C2 servers.”

The entire process was described as below.

Kimsuky's C2 server structure. Source: Kaspersky

  1. The actor sends a spear phishing email to the potential victim in order to induce them to download additional documents.
  2. If the victim clicks the link, it connects the victim’s device to the first stage C2 server with an email address as parameter.
  3. The first stage C2 server verifies whether the incoming email address is an expected one or not. If it is an expected one on its target list, it delivers a malicious document. The first stage script also forwards the victim's IP address to the next stage server.
  4. When the fetched document is opened, it connects to the second C2 server.
  5. The corresponding script on the second C2 server checks the IP address forwarded from the first stage server in order to verify that it is an expected request from the same victim. Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not.
  6. On top of that, the operator relies on several other processes to carefully deliver the next payload, such as checking OS type and predefined user agent strings.

To defend critical systems against these attacks, Park emphasized that information sharing is the key. “If we want to defend, the full context must be considered. In order to do that, cooperation between the various industries is also critical. We will never get a full understanding if we only look at the endpoint side.”

The number of malicious objects in each stage of an attack. Source: Kaspersky

According to analysis by Kaspersky, malware authors spend most of their time and energy giving variations to the first stage of attacks. For one case, a threat group made 45 malicious objects in the first stage while it only made 4 in the third stage. The third stage is when a threat actor delivers final payloads to the victims. This means that the first stage, which contains a decoy, is in constant change while the third stage, which contains the damaging content, is rarely changed.

“If someone only focuses on decoy documents in the first stage, he or she will eventually fail to analyze the attack and will be unable to defend against it because a decoy always changes,” said Park. “We have to look at the full picture of an attack through the entire stages, rather than just paying attention to an individual malware or issue.”

This interview has been edited and condensed for clarity.

Photo by Kaspersky

Dain Oh is an award-winning cybersecurity journalist based in South Korea and the founding editor-in-chief of The Readable by S2W. Before joining S2W, she worked as a reporter for The Electronic Times, the top IT newspaper in Korea, covering the cybersecurity industry on an in-depth level. She reported numerous exclusive stories, and her work related to the National Intelligence Service led to her being honored with the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology in a unanimous decision. She was also the first journalist to report on the hacking of vulnerable wallpads in South Korean apartments, which later became a nation-wide issue.