Kimsuky
Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related targets, expanding recently to the United States, Russia, and Europe. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2][3]
Associated Group Descriptions
| Name | Description |
|---|---|
| Thallium | |
| Black Banshee | |
| Velvet Chollima |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Kimsuky has registered domains to spoof targeted organizations and trusted third parties.[5][6][7][3] |
| Enterprise | T1071 | .002 | Application Layer Protocol: File Transfer Protocols |
Kimsuky has used FTP to download additional malware to the target machine.[8] |
| .003 | Application Layer Protocol: Mail Protocols |
Kimsuky has used e-mail to send exfiltrated data to C2 servers.[7] |
||
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Kimsuky has placed scripts in the startup folder for persistence.[9][7][10] |
| Enterprise | T1176 | Browser Extensions |
Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.[4] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | |
| .005 | Command and Scripting Interpreter: Visual Basic |
Kimsuky has used Visual Basic to download malicious payloads.[5][8][10] |
||
| .006 | Command and Scripting Interpreter: Python | |||
| .007 | Command and Scripting Interpreter: JavaScript |
Kimsuky has used JScript for logging and downloading additional tools.[8][7] |
||
| Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
Kimsuky has compromised web portal email accounts to send spearphishing e-mails.[8] |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers.[4][7] |
| Enterprise | T1005 | Data from Local System |
Kimsuky has collected Office, PDF, and HWP documents from its victims.[9] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Kimsuky has staged collected data files under |
| Enterprise | T1587 | Develop Capabilities |
Kimsuky created and used a mailing toolkit to use in spearphishing attacks.[8] |
|
| Enterprise | T1114 | .003 | Email Collection: Email Forwarding Rule |
Kimsuky has set auto-forward rules on victim's e-mail accounts.[7] |
| Enterprise | T1546 | .001 | Event Triggered Execution: Change Default File Association |
Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.[9] |
| Enterprise | T1041 | Exfiltration Over C2 Channel | ||
| Enterprise | T1133 | External Remote Services | ||
| Enterprise | T1083 | File and Directory Discovery |
Kimsuky has the ability to enumerate all the drives on an infected system.[9] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Kimsuky has been observed turning off Windows Security Center.[9] |
| .004 | Impair Defenses: Disable or Modify System Firewall | |||
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Kimsuky has deleted the exfiltrated data on disk after transmission.[9] |
| .006 | Indicator Removal on Host: Timestomp |
Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.[3] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
Kimsuky has used scripts to download additional tools from compromised domains to victim systems.[10] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1557 | Man-in-the-Middle |
Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.[7] |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Kimsuky has disguised services to appear as benign software or related to operating system functions.[7] |
| Enterprise | T1112 | Modify Registry |
Kimsuky has modified Registry settings for default file associations to enable the opening of malicious documents.[7][10] |
|
| Enterprise | T1040 | Network Sniffing |
Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.[7] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.[5][8] |
|
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory | |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[4][9][5][8][3] |
| .002 | Phishing: Spearphishing Link |
Kimsuky has used an email containing a link to a document that contained malicious macros.[1] |
||
| Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Kimsuky has used links in e-mail to steal account information.[8] |
| Enterprise | T1055 | Process Injection |
Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.[9] |
|
| Enterprise | T1219 | Remote Access Software |
Kimsuky has used a modified TeamViewer client as a command and control channel.[9][10] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.[7] |
| Enterprise | T1218 | .005 | Signed Binary Proxy Execution: Mshta |
Kimsuky has used mshta.exe to run malicious scripts on the system.[1][7][10] |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing | |
| Enterprise | T1082 | System Information Discovery |
Kimsuky has gathered information about the infected computer.[9] |
|
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Kimsuky has used pass the hash for authentication to remote access software used in C2.[7] |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.[5][8][7][3] |
Software
References
- Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
- BRI. (2019, April). Kimsuky unveils APT campaign 'Smoke Screen' aimed at Korea and America. Retrieved October 7, 2019.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
- ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
- Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020.
- CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
- Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
- Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.