Search This Blog

Showing posts with label TTP. Show all posts

Kimsuky's Attacks Alerted German and South Korean Agencies


In a joint warning issued by the German and South Korean intelligence agencies, it has been noted that a North Korean hacker group named Kimsuky has been increasing cyber-attack tactics against the South Korean network. With sophisticated phishing campaigns and malware attacks, the group has been suspected of being behind the attacks. It is believed that the North Korean government is behind them. Cyberattacks continue to pose a major threat to businesses and governments throughout the world as a result of increasing cyberattacks. 

Kimsuky (aka Thallium and SmokeScreen) is a North Korean threat group that has developed a reputation for utilizing cutting-edge tools and tactics in its operations. There have been two upcoming attack tactics developed by the group that enhances the espionage capabilities of the organization. These tactics raise no red flags on security radars. There are several malicious Android apps and YouTube extensions being abused as well as Google Chrome extensions.   

Kimsuky is believed to have expanded its tactics to attack a wide range of organizations in both countries, according to the German Office for Information Security (BSI) and South Korea's National Intelligence Service (NIS). Initially targeting U.S. government agencies, research institutions, and think tanks, the group has now spread to businesses in the technology and defense sectors as well. 

Kimsuky appears to be using a new malware called "BookCove" to steal sensitive information from its targets, according to a statement issued by the company. A spear-phishing email is designed to appear like it has been sent from a reputable source, but in reality, the message contains malware. Upon clicking the link or attachment in an email that contains malware, the user's computer is infected with the malware. The hacker can have access to the victim's data and can monitor the activities of the victim as a result of this. \

Various South Korean and German agencies suggest that organizations should implement the necessary precautions to safeguard themselves against these threats. Security measures must be taken, such as multi-factor authentication and regular updates, and employees must be educated on the risks associated with phishing. 

North Korean hacking group, Kimsuky, has been operating since 2013, providing malware for PCs. Several sources claim that the group is linked to the Reconnaissance General Bureau of the North Korean government. This Bureau gathers intelligence and conducts covert operations on behalf of the government. 

According to research, the apps, which embed FastFire and FastViewer, are distributed through Google Play's "internal testing" feature. This gives third-party developers the ability to send apps to a "small set of trusted testers." 

Nevertheless, it bears mentioning that these internal app testing exercises cannot exceed 100 users per app, regardless of the number of users. This is regardless of when the app is released into production. There is no doubt that this campaign has a very targeted nature, which indicates its focus. 

Two malware-laced apps use Android's accessibility services to steal sensitive information ranging from financial to personal information. APK packages for each app are listed below with their respective names in APK format:

  • Com. viewer. fast secure (FastFi) 
  • (FastViewer) 
Organizations can take the following measures to protect themselves against Kimsuky's attacks 

A multi-factor authentication system protects the network and system from unauthorized access since it requires the attacker to possess at least two factors, such as a password and a physical device, such as a mobile phone. 

Even if cyber criminals could get past some existing security measures, this would make it far harder for them to access private data. In addition to the above-mentioned measures, organizations may also wish to consider taking the following measures to protect themselves: 
  • Maintaining a regular software update schedule is important. 
  • The best practices for protecting your company's information are taught to your employees. 
  • It is essential to use tools and techniques to detect and respond to advanced threats. 
A robust incident response plan is a crucial tool for organizations to develop to be prepared in case of an incident. If cyberattacks occur, they should be able to respond rapidly and effectively to mitigate their impact.

A growing number of companies are attacked by state-sponsored groups like Kimsuky due to cyberattacks. To reduce their risk of falling victim to these sophisticated cyber-espionage tactics, businesses and governments in Germany need to take proactive steps to protect themselves, including improving their security systems. 

Operating silently, Kimsuky has continuously evolved its TTPs to keep up with changing threats, as well as developing efficient tactics. The majority of attacks are conducted using phishing or spear-phishing. The most significant priority that must be addressed against this threat is to protect the accounts of individuals or organizations and other critical assets. Those involved in organizations and individuals are advised to keep abreast of the latest tactics and adhere to relevant agencies' recommendations.

Qakbot Distributes Malware Through OneNote


There have been reports of a new wave of Qakbot campaigns that use a novel method of distributing malware as part of the delivery process. The name of this sophisticated malware is Qakbot, though this malware has several different names, such as Pinkslipbot, and QuakBot. 

Research has found that Qakbot campaigns have been operating since 2007, and they are using OneNote documents to get the word out to the public. Infected systems tend to have malicious software that targets sensitive data from the systems, such as login credentials, financial data, and personal information. 

It has been observed that Qakbot has been used in recent years to distribute ransomware via other botnets, such as Emotet, which drops a secondary payload onto their botnets. 

In-Depth Discussion of the Subject

  • As part of these campaigns, malware is delivered using two attack vectors; one attacker embeds the URL into the email to download the malicious file, and the other uses the malicious file as an attachment in an email. 
  • Documents in OneNote feature a call-to-action button that runs the payload associated with the document when clicked.  
  • Qakbot uses various evasion methods, such as anti-debugging techniques, anti-dynamic analysis techniques, anti-AV techniques, and encrypted communication between clients and servers. 
What Are The Key Players?

  • Banks, financial institutions, wealth management companies, and even public sector organizations are the most impacted, followed by organizations in the government and outsourcing sectors which are also impacted.
  • Organizations in the United States, Thailand, India, and Turkey were targeted with the campaigns. 
A OneNote-Qakbot Campaign is Not New

According to researchers at Sophos, two parallel spam campaigns, nicknamed Qaknote, were disseminating malicious OneNote attachments by embedding a malicious HTML application within the attachment.

  • This campaign started with the dissemination of an impersonal malspam that contained a link to the malicious OneNote document embedded in the email.  · 
  • Inn the second case, a malicious OneNote notebook for unauthorized use was sent to all recipients in an email reply-to-all message that hijacked existing email threads by exploiting thread injection to hijack existing email threads.
  • After downloading and installing Qbot through these attachments, it is now ready to use.  
Here are the Main Points

Recent Qakbot campaigns have been focused on specifically targeted sectors, in contrast to earlier campaigns that appeared indiscriminate, and researchers predict that this targeted approach will likely persist in future campaigns as well. 

TTPs have been shared between researchers to help detect and mitigate the threats associated with this threat. Emails with attachments with unusual extensions are blocked, malicious websites are avoided, and top-level domains that are rarely used are blocked.   

Threats Increase With Updated "Swiss Army Malware"


There seems to be a slow and steady decline in the production of specialized malware. Alongside, there is a growing trend across cyber-space today for variants to be able to perform a whole host of functions and feature as many features as possible, according to recent studies released. 

It was found that “Swiss Army knife malware” was on the rise due to an analysis of more than 550,000 real-world samples by Picus Security. These strains are multipurpose and capable of performing a variety of actions. 

Among the malware analyzed for the report, a third carries more than 20 individual tactics, techniques, and procedures (TTP), according to the report, which suggests that malware in much larger numbers is involved in cyber threats. There are quite a few attacks that leverage more than ten tactics. One in ten attacks has as many as 30 tactics. Most commonly, the use of legitimate software and the movement of files in a lateral way are among the most common features of these attacks. 

Investment in a Great Deal 

Almost a third of malware samples have been observed to contain executables and script interpreters. According to MITRE's ATT&CK adversary behavior framework, these interpreters are the most prevalent ATT&CK techniques.  

This is the first time Remote System Discovery and Remote Services have appeared in the top ten of this research paper, showing that malware can now exploit built-in tools and protocols within operating systems to avoid detection and avoid being detected by security software. 

The majority of the ATT&CK techniques identified have been used to facilitate lateral movement within corporate networks. Around a quarter of the techniques have been developed to safeguard data and facilitate lateral movement. 

Research conducted by Picus found that all of these things were possible thanks to Picus' heavy investment. According to analysts, many syndicates of ransomware are well-funded, and they are happy to invest their funds back into making even more destructive malware in the future. As a result, cybercriminals have evolved their methods of identifying and eliminating malicious behavior in their attempts to infiltrate consumers' premises. They also take advantage of technological advancements to come up with more sophisticated ways to do so.   

According to Suleyman Ozarslan, Picus Security's Co-founder and VP of Picus Labs, "The objective of both ransomware (opens in new tab) and nation-state actor operators is to achieve the goal in as short and efficient a time as possible," said Ozarslan. More malware can move laterally within an IT environment. This means that adversaries of all types will need to adapt to the differences in IT environments to succeed in their attempt to exploit them. 

Security teams must continue to evolve their approaches as they face a growing threat from sophisticated malware that is becoming more sophisticated daily. There is a strong correlation between prioritizing attacks that are commonly carried out and being able to defend critical assets better. This is because organizations prioritize techniques that are commonly used. Furthermore, they will be able to guarantee that their attention and resources are focused on the areas where they can have the greatest impact. They will be able to maintain a consistent focus on those areas.