Kimsuky

Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2]

ID: G0094
Associated Groups: Velvet Chollima
Version: 1.1
Created: 26 August 2019
Last Modified: 30 March 2020

Associated Group Descriptions

Name Description
Velvet Chollima [3]

Techniques Used

Domain ID Name Use
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Kimsuky has used RC4 encryption before exfil.[4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Kimsuky has placed scripts in the startup folder for persistence.[4]

Enterprise T1176 Browser Extensions

Kimsuky has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers.[3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Kimsuky has executed a variety of PowerShell scripts.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Kimsuky has created new services for persistence.[4]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Kimsuky has used a Google Chrome extension to steal passwords and cookies from their browsers.[3]

Enterprise T1005 Data from Local System

Kimsuky has collected Office, PDF, and HWP documents from its victims.[4]

Enterprise T1546 .001 Event Triggered Execution: Change Default File Association

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.[4]

Enterprise T1041 Exfiltration Over C2 Channel

Kimsuky has exfiltrated data over its email C2 channel.[4]

Enterprise T1083 File and Directory Discovery

Kimsuky has the ability to enumerate all the drives on an infected system.[4]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Kimsuky has been observed turning off Windows Security Center.[4]

.004 Impair Defenses: Disable or Modify System Firewall

Kimsuky has been observed disabling the system firewall.[4]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Kimsuky has deleted the exfiltrated data on disk after transmission.[4]

Enterprise T1056 .001 Input Capture: Keylogging

Kimsuky has used a PowerShell-based keylogger.[1][4]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[3][4]

.002 Phishing: Spearphishing Link

Kimsuky has used an email containing a link to a document that contained malicious macros.[1]

Enterprise T1055 Process Injection

Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.[4]

Enterprise T1219 Remote Access Software

Kimsuky has used a modified TeamViewer client as a command and control channel.[4]

Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

Kimsuky has used mshta to run malicious scripts on the system.[1]

Enterprise T1082 System Information Discovery

Kimsuky has gathered information about the infected computer.[4]

References