Researchers Reveal Exploitation Techniques of North Korean Kimsuky APT Group

Since 2013, the advanced persistent threat (APT) known as Kimsuky, which the North Korean government sponsors, has been actively conducting cyber espionage operations. 

It employs advanced malware, spearphishing, and social engineering tactics to infiltrate target networks and exfiltrate sensitive data, focusing on South Korea and other countries with strategic interests in the Korean Peninsula.

A North Korean APT since 2012 has conducted cyber espionage targeting South Korea, the US, Japan, Russia, and Europe by employing spearphishing, watering hole attacks, and zero-day exploits to compromise government, education, and business entities, exfiltrating sensitive data for intelligence gathering.

For the initial system access and keylogging, Kimsuky makes use of open-source tools such as xRAT, which is comprised of multiple stages. 

They also deploy custom backdoor malware like Gold Dragon to establish a persistent presence and facilitate covert exfiltration of sensitive data, which enhances the stealth and effectiveness of their cyber-espionage operations.

At the beginning of the year 2024, the Kimsuky group launched the DEEP#GOSU campaign, which targeted Windows systems with emails that contained spear-phishing malware. 

Malicious attachments triggered PowerShell and VBScript scripts, downloading payloads like TruRat from cloud services, which enabled keylogging, data exfiltration, and other malicious activities while employing evasion techniques to hinder detection. 

In 2020, the North Korean group Kimsuky conducted spear-phishing attacks against U.S. defense contractors, where malicious emails delivered payloads like RandomQuery and xRAT, enabling lateral movement and data exfiltration, potentially compromising critical military technologies and jeopardizing national security.   

According to Picus Security, Kimsuky APT uses spear phishing emails with malicious attachments to gain initial access and also leverages PowerShell scripts to execute commands on compromised systems.

It establishes persistence by adding VBScript to the Windows Registry Run key using reg.exe, which is often obfuscated with Base64 encoding and a misleading filename and executes on user login, gathering system information and exfiltrating it to a C2 server. 

By leveraging Win7Elevate to bypass UAC, it injects malicious code into explorer.exe, which facilitates privilege escalation and enables the deployment of spying tools. 

The malware decrypts and stores its payload in the user’s temporary folder, ensuring persistence, and by exploiting Process Injection, Kimsuky executes the malicious DLL within explorer.exe, achieving stealth and maintaining elevated privileges.

Kimsuky APT uses obfuscation, living-off-the-land tools, and modified legitimate tools to achieve persistence, steal credentials, and exfiltrate data by leveraging techniques like credential dumping, system information discovery, keylogging, and network sniffing. 

To mitigate Kimsuky threats, organizations should implement advanced email filtering, network segmentation, and continuous monitoring.

They must maintain up-to-date software and deploy advanced endpoint protection solutions with behavioral analysis and machine learning capabilities to detect and block sophisticated attacks.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free