Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Hacker group Kimsuky. Show all posts

North Korean Hacker Group Kimsuky Deploys New Linux Malware 'Gomir' via Trojanized Software Installers

 

North Korean hacker group Kimsuky has unveiled a new Linux malware named "Gomir," a variant of the GoBear backdoor. This development marks a significant advancement in the group's cyber espionage tactics. Kimsuky, linked to North Korea’s military intelligence, the Reconnaissance General Bureau (RGB), has a history of sophisticated cyber attacks aimed primarily at South Korean entities. 

In early February 2024, researchers at SW2, a threat intelligence company, reported a campaign by Kimsuky involving trojanized versions of various software solutions. These included TrustPKI and NX_PRNMAN from SGA Solutions and Wizvera VeraPort. The primary targets were South Korean entities, and the malicious software delivered the Troll Stealer and Go-based Windows malware known as GoBear. 

Further investigation by Symantec, a Broadcom company, revealed that the same campaign also deployed a Linux variant of the GoBear backdoor, dubbed "Gomir." This new malware shares many similarities with its Windows counterpart, featuring direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands. Upon installation, Gomir checks the group ID value to determine if it runs with root privileges on the Linux machine. 

It then copies itself to /var/log/syslogd for persistence, creates a systemd service named ‘syslogd,’ and issues commands to start the service. Following these steps, the original executable is deleted, and the initial process is terminated. To ensure it runs on system reboot, the backdoor attempts to configure a crontab command by creating a helper file ('cron.txt') in the current working directory. If successful, the helper file is removed. Gomir supports 17 operations triggered by commands received from the C2 via HTTP POST requests. 

These operations include pausing communication with the C2 server, executing arbitrary shell commands, reporting the current working directory, probing network endpoints, and more. Notably, these commands are almost identical to those supported by the GoBear Windows backdoor, highlighting the malware's versatility and Kimsuky's ability to adapt its tools across different operating systems. Symantec researchers have pointed out that supply-chain attacks, such as trojanized software installers and fake installers, are a preferred attack method for North Korean espionage actors. 

The choice of software for trojanization seems to be carefully selected to maximize infection rates among South Korean targets. By compromising widely used software solutions, Kimsuky increases its chances of infiltrating targeted systems and exfiltrating valuable data. The implications of Kimsuky's activities are significant. By enhancing their malware capabilities and expanding their target range to include Linux systems, Kimsuky poses a heightened threat to organizations, particularly those in South Korea. 

The use of advanced malware like Gomir demonstrates the group's continuous evolution and sophistication in cyber espionage. Symantec's report on this campaign includes a set of indicators of compromise (IOCs) for multiple malicious tools observed, including Gomir, Troll Stealer, and the GoBear dropper. These IOCs are crucial for cybersecurity professionals to detect and mitigate the impact of these threats. 

As the digital landscape continues to evolve, the need for robust cybersecurity measures becomes ever more critical. Organizations, especially those in high-target regions like South Korea, must remain vigilant and proactive in their defense strategies. This includes regularly updating software, conducting thorough security assessments, and implementing comprehensive threat detection and response mechanisms. 

The emergence of Gomir and similar threats underscores the importance of international cooperation in combating cybercrime. By sharing intelligence and collaborating on cybersecurity initiatives, nations can better protect their critical infrastructure and sensitive data from sophisticated threat actors like Kimsuky.

US Govt’s OFAC Sanctions North Korea-based Kimsuky Hacking Group


The Treasury Department’s Office of Foreign Assets Control (OFAC) has recently confirmed the involvement of Kimsuky, a North-Korea sponsored hacking group, in a cyber breach attempt that resulted in the compromise of intel in support of the country’s strategic aims. 

Eight North Korean agents have also been sanctioned by the agency for aiding in the evasion of sanctions and promoting their nation's WMD development.

The current measures are apparently a direct response to the Democratic People's Republic of Korea's (DPRK) purported launch of a military reconnaissance satellite on November 21 in an attempt to hinder the DPRK's ability to produce revenue, obtain resources, and obtain intelligence to further its WMD program.

"Active since 2012, Kimsuky is subordinate to the UN- and U.S. designated Reconnaissance General Bureau (RGB), the DPRK's primary foreign intelligence service," the Department of Treasury stated. "Malicious cyber activity associated with the Kimsuky advanced persistent threat is also known in the cybersecurity industry as APT43, Emerald Sleet, Velvet Chollima, TA406, and Black Banshee."

The OFAC, in August 2010, linked Kimsuky to North Korea's primary foreign intelligence agency, the Reconnaissance General Bureau. 

Kimsuky’s operations mostly consist of stealing intelligence, focusing on foreign policies and national security concerns regarding the Korean peninsula and nuclear policy. 

High-Profile Targets of Kimsuky

One of the most notable high-profile targets of the North Korea-based cyberespionage group includes the compromise of South Korea’s nuclear reactor operator in 2018, Operation STOLEN PENCIL against academic institutions in 2018, Operation Kabar Cobra against South Korean government organizations and defense-related agencies in 2019, and Operation Smoke Screen the same year.

Kimsuky was responsible for targeting at least 28 UN officials and several UN Security Council officials in their spear-phishing campaign conducted in August 2020. The cyberespionage group also infiltrated infiltrated South Korea's Atomic Energy Research Institute in June 2021. 

In September 2019, the US Treasury Department imposed sanctions on the North Korean hacker groups Lazarus, Bluenoroff, and Andariel for transferring money to the government of the nation through financial assets pilfered from global cyberattacks against targets.

In May, OFAC also declared sanctions against four North Korean companies engaged in cyberattacks and illegal IT worker schemes intended to raise money for the DPRK's weapons of mass destruction (WMD) programs.  

U.S. and South Korea Issue Warning on North Korean Hacker Group Linked to Satellite Launch

On Friday, the United States and South Korea released a joint cybersecurity advisory, addressing a North Korean hacker group allegedly responsible for stealing technology utilized in North Korea's recent unsuccessful satellite. South Korea's Foreign Ministry announced unilateral sanctions against the hacker organization, identified as Kimsuky. 

In their joint statement, the United States and South Korea revealed that the Kimsuky group specializes in gathering intelligence related to national security and foreign policy matters concerning the Korean Peninsula. They further alleged that the group shares this intelligence with North Korea while assisting the isolated nation in its purported development of "satellites," which the allies suspect are actually disguised missile tests. 

The statement emphasized that Kimsuky engages in the theft of space and weapons technologies, providing vital support to the regime's ongoing defiance of international sanctions imposed on its nuclear and missile initiatives. In addition to this, the group is also recognized as Velvet Chollima and Black Banshee. The U.S. Cybersecurity and Infrastructure Security Agency has predicted that Kimsuky has likely been operating since 2012. 

Its primary objective is conducting espionage by targeting various entities including South Korean think tanks, industries, nuclear power operators, and the Ministry of Unification. In recent times, Kimsuky has broadened its scope and extended its operations to include nations such as Russia, the United States, and several European countries. 

The group has been "directly or indirectly involved in the development of North Korea's so-called 'satellites' by stealing advanced technologies related to weapons development and satellites and space from all over the world," the statement reads. 

On Wednesday, North Korea launched the Malligyong-1 military reconnaissance satellite, as per their claims. However, during the separation of its first stage, the rocket experienced a loss of thrust and ultimately plunged into the Yellow Sea. 

However, both Seoul and Washington assert that the launch was actually aimed at enhancing the country's ballistic missile capabilities. This action by Pyongyang violates United Nations Security Council resolutions, which prohibit the use of such technology. Despite the unsuccessful outcome of Wednesday's attempt, North Korea is reportedly preparing for a second launch shortly.

Following the incident, Seoul and Washington jointly unveiled new sanctions targeting North Korean information technology workers and organizations suspected of financing the regime's nuclear and missile initiatives. South Korea specifically identified seven North Korean individuals and three entities involved in overseeing the earnings and money laundering activities of these workers. 

The sanctions aim to disrupt the financial networks supporting North Korea's illicit programs. According to the Kimsuky attacks records, in March 2015, South Korea accused Kimsuky of stealing data from Korea Hydro & Nuclear Power. In August 2019, it was revealed that Kimsuky had launched an unprecedented attack targeting retired South Korean diplomats, government officials, and military personnel. 

In September 2020, reports surfaced suggesting that Kimsuky had made an attempted hack on 11 officials associated with the United Nations Security Council, and in May 2021, a lawmaker from the People Power Party disclosed that Kimsuky had been discovered within the internal networks of the Korea Atomic Energy Research Institute.

Kimsuky Spear-Phishing Campaign Goes Global Using New Malware

On Thursday, security researchers from SentinelOne reported that the North Korean state-sponsored APT group, Kimsuky, has been observed utilizing a brand new malware component called ReconShark. The malware is disseminated through spear-phishing emails that are specifically targeted, containing OneDrive links that, when clicked, trigger the download of documents that subsequently activate malicious macros.  

Tom Hegel and Aleksandar Milenkoski from SentinelOne revealed that the spear-phishing emails used to distribute ReconShark are tailored to specific individuals, with a high level of design quality that increases the likelihood of the target opening them. These emails appear legitimate, using proper formatting, grammar, and visual clues that can deceive unsuspecting users. 

Moreover, the malicious documents and the links in the emails are disguised with the names of real individuals whose knowledge or expertise is relevant to the subject of the lure, for instance, political scientists. 

Furthermore, the researcher added that “The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses”.

The state-sponsored APT group Kimsuky, which has been operating since 2012, is also identified by other names such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. This notorious threat actor group has been involved in targeted attacks on numerous entities, including non-governmental organizations (NGOs), diplomatic agencies, military organizations, think tanks, research entities, and economic groups across Asia, North America, and Europe. 

In new developments, Kimsuky differs from its predecessors. It avoids storing collected data on the file system. Instead, the malware stores the information in string variables and transmits it to a command-and-control (C2) server via HTTP POST requests. Additionally, ReconShark can install supplementary payloads, such as DLL files or scripts, by examining the detection mechanisms present on the infected systems. 

Furthermore, the security researchers noted that Kimsuky's recent activities are designed to hit global issues. “For example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine,” reads the report. 

The discovery of ReconShark highlights the growing proof that Kimsuky is changing its techniques to secretly access and control computer systems, stay undetected, and collect information for prolonged periods.

APT43: Cyberespionage Group Targets Strategic Intelligence


APT43, also known as Kimsuky or Thallium, recently exposed by the Mandiant researchers, is a cyberespionage threat group supporting the objectives of the North Korean regime. By conducting credential harvesting attacks and successfully compromising its targets using social engineering, ATP43 concentrates on gathering strategic intelligence. 

Mandiant, which has been tracking APT43 since 2018, noted that the threat group supports the mission of the Reconnaissance General Bureau, North Korea's primary external intelligence agency. 

In terms of attribution indicators, APT43 shares infrastructure and tools with known North Korean operators and threat actors. Essentially, APT43 shares malware and tools with Lazarus. 

Targets of APT43 

Prior to 2021, the APT43 organization mostly targeted foreign policy and nuclear security challenges, but this changed in response to the global COVID-19 pandemic. 

APT43 primarily targets manufacturing products including fuel, machinery, metals, transportation vehicles, and weaponry whose sale to North Korea has been banned in South Korea, the U.S., Japan, and Europe. In addition to this, the group attacks business services, education, research and think tanks focusing on geopolitical and nuclear policy and government bodies. 

Spear Phishing and Social Engineering Techniques Used by APT 43 

Spear phishing is one of the primary methods used by APT43 to compromise its targets. The group frequently fabricates plausible personas, impersonating important figures. Ones they have succeeded in compromising one such individual, the threat group proceeds into using the person’s contact lists to aim further targets with spear phishing. 

In one such instance, exposed by Google, Archipelago (a subset of APT43) would send phishing emails where they portray themselves as a representative of a media outlet or think task asking the targeted victim for an interview. To view the questions, a link must be clicked, but doing so takes the victim to a phony Microsoft 365 or Google Drive login page. The victim is directed to a paper with questions after entering their credentials. 

According to the Google report, Archipelago tends to interact with the victim for several days in order to build trust before sending the malicious link or file. 

Another tactic used by Archipelago involves sending benign PDF files purportedly from a third party that alerts the recipient to fraudulent logins they should examine. 

Malware Families and Tools Used 

APT43 employs a variety of malware families and tools. Some of the public malware families used include Gh0st RAT, Quasar RAT, and Amadey. However, the threat group mostly uses a non-public malware called LATEOP or BabyShark, apparently developed by the group itself. 

How can you Protect Yourself from the APT43 Security Threat? 

Here, we have listed some measures that could ensure protection against  malicious APT43 attacks: 

  • Educate users about the social engineering techniques used by APT43 and Archipelago.  
  • Train users to detect phishing attempts and report them immediately to their security staff. 
  • Use security solutions to detect phishing emails or malware infection attempts. 
  • Keep operating systems and software up to date and patched. 

Moreover, professionals in the field of geopolitics and international politics are advised to be trained in detecting any approach from attackers or potential threat actors, posing as a journalist or a reporter. Careful identification and examination of such individuals approaching important figures must be taken into priority, prior to any exchange of information or intelligence.  

North Korean hacker group Kimsuky started attacking Russian political scientists

The American cybersecurity company Proofpoint has discovered that the Kimsuky hacker group, presumably from North Korea, is attacking Russian scientists, foreign policy experts, and non-governmental organizations that deal with various issues of interaction with the DPRK.

It follows from the company's research that hackers send phishing emails to Korean experts on behalf of well-known experts in the Russian Federation.

Alexey Pavlov, Business Development Director of the center for countering cyberattacks Solar JSOC Rostelecom-Solar, explained that the letters contain a link, upon clicking on which the user sees a window for entering a login and password. This is similar to a Windows pop-up window for password-protected network resources. According to the attackers' plan, the victim must enter his credentials. Since the unsecured HTTP protocol is used, hackers get the credentials in cleartext.

The Proofpoint study provides an example of such a letter in Russian, allegedly on behalf of the Executive director of the National Committee for BRICS Research, Georgy Toloraya. “Mass mailings are being sent from fake addresses opened in my name,” he confirmed, adding that the signature was copied from old letters.

"Positive Technologies specialists recorded Kimsuky attacks using Korean themes in August," says Denis Kuvshinov, head of the company's threat research department.

According to Group-IB experts, over the past year, Kimsuky has been quite active in conducting cyber espionage operations not only against South Korea but also countries that support it.

The group has been carrying out thematic attacks since 2018. In 2020, it attacked Russian military and industrial organizations.

Experts believe that Kimsuky will try to purposefully extract valuable documents from specific officials and employees of research organizations. Kimsuky can connect infected computers to a botnet or steal access to crypto wallets.