Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

North Korea-Linked APT Group Kimsuky spotted using new malware

North Korea-linked APT group Kimsuky was recently spotted using a new piece of malware in attacks on government agencies and human rights activists. North Korea-linked cyber espionage group Kimsuky (aka Black Banshee, Thallium, Velvet Chollima) was recently observed using a new malware in attacks aimed at government agencies and human rights activists. The Kimsuky APT […]

kimusky APT

North Korea-linked APT group Kimsuky was recently spotted using a new piece of malware in attacks on government agencies and human rights activists.

North Korea-linked cyber espionage group Kimsuky (aka Black Banshee, Thallium, Velvet Chollima) was recently observed using a new malware in attacks aimed at government agencies and human rights activists.

The Kimsuky APT group has been analyzed by several security teams, it was first spotted by Kaspersky researcher in 2013, recently its activity was detailed by ESTsecurity and by the team of researchers at my former company Cybaze ZLab.

At the end of October, the US-CERT published a report on Kimusky’s recent activities that provided information of their TTPs and infrastructure.

The APT group mainly targeting think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

Researchers at Cybereason’s Nocturnus team published a new report that includes details on two new pieces of malware associated with the North-Korea linked APT, modular spyware called KGH_SPY and a downloader called CSPY Downloader. Experts also identified a new server infrastructure used by the cyberspies that overlaps with previously identified Kimsuky infrastructure.

“Kimsuky is known for their complex infrastructure that uses free-registered domains, compromised domains, as well as private domains registered by the group.” reads the report published by Cybereason. “Tracking down the infrastructure, the Nocturnus team was able to detect overlaps with BabyShark malware and other connections to different malware such as AppleSeed backdoor”

KGH_SPY is a modular suite of tools that allows attackers to perform reconnaissance, keylogging, information stealing and implements backdoor capabilities

CSPY Downloader is a tool designed to evade analysis and acts as a downloader to deliver additional payloads.

kimusky APT

The new malware appears to have been developed recently, but threat actors might have used Backdating, or timestomping to thwart analysis attempts (anti-forensics). The researchers believe that attackers have tampered with the creation date of most of the files employed in the attacks and backdated them to 2016.

The Kimsuky APT group delivered the malware via weaponized documents, the final goal was cyber espionage, the KGH-Browser Stealer was able to exfiltrate stored data from Chrome, Edge, Firefox, Thunderbird, Opera, Winscp. 

The CSPY Downloader implements anti-analysis techniques, it is able to determine whether it is running in a virtual environment or a debugger is used.

“The threat actors invested efforts in order to remain under the radar, by employing various anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques. At the time of writing this report, some of the samples mentioned in the report are still not detected by any AV vendor,” the Nocturnus team concludes. “While the identity of the victims of this campaign remains unclear, there are clues that can suggest that the infrastructure targeted organizations dealing with human rights violations.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Kimsuky APT)

[adrotate banner=”5″]

[adrotate banner=”13″]