Kimsuky

Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related targets, expanding recently to the United States, Russia, and Europe. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.[1][2][3]

ID: G0094
Associated Groups: Thallium, Black Banshee, Velvet Chollima
Version: 2.0
Created: 26 August 2019
Last Modified: 23 April 2021

Associated Group Descriptions

Name Description
Thallium

[3]

Black Banshee

[3]

Velvet Chollima

[4][5]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Kimsuky has registered domains to spoof targeted organizations and trusted third parties.[5][6][7][3]

Enterprise T1071 .002 Application Layer Protocol: File Transfer Protocols

Kimsuky has used FTP to download additional malware to the target machine.[8]

.003 Application Layer Protocol: Mail Protocols

Kimsuky has used e-mail to send exfiltrated data to C2 servers.[7]

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Kimsuky has used RC4 encryption before exfil.[9]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Kimsuky has placed scripts in the startup folder for persistence.[9][7][10]

Enterprise T1176 Browser Extensions

Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.[4]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Kimsuky has executed a variety of PowerShell scripts.[1][7]

.005 Command and Scripting Interpreter: Visual Basic

Kimsuky has used Visual Basic to download malicious payloads.[5][8][10]

.007 Command and Scripting Interpreter: JavaScript

Kimsuky has used JScript for logging and downloading additional tools.[8][7]

.006 Command and Scripting Interpreter: Python

Kimsuky has used a Mac OS Python implant to gather data.[7]

Enterprise T1586 .002 Compromise Accounts: Email Accounts

Kimsuky has compromised web portal email accounts to send spearphishing e-mails.[8]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Kimsuky has created new services for persistence.[9][7]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers.[4][7]

Enterprise T1005 Data from Local System

Kimsuky has collected Office, PDF, and HWP documents from its victims.[9]

Enterprise T1074 .001 Data Staged: Local Data Staging

Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.[7]

Enterprise T1587 Develop Capabilities

Kimsuky created and used a mailing toolkit to use in spearphishing attacks.[8]

Enterprise T1114 .003 Email Collection: Email Forwarding Rule

Kimsuky has set auto-forward rules on victim's e-mail accounts.[7]

Enterprise T1546 .001 Event Triggered Execution: Change Default File Association

Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.[9]

Enterprise T1041 Exfiltration Over C2 Channel

Kimsuky has exfiltrated data over its email C2 channel.[9]

Enterprise T1133 External Remote Services

Kimsuky has used RDP to establish persistence.[7]

Enterprise T1083 File and Directory Discovery

Kimsuky has the ability to enumerate all the drives on an infected system.[9]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Kimsuky has been observed turning off Windows Security Center.[9]

.004 Impair Defenses: Disable or Modify System Firewall

Kimsuky has been observed disabling the system firewall.[9]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Kimsuky has deleted the exfiltrated data on disk after transmission.[9]

.006 Indicator Removal on Host: Timestomp

Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.[3]

Enterprise T1105 Ingress Tool Transfer

Kimsuky has used scripts to download additional tools from compromised domains to victim systems.[10]

Enterprise T1056 .001 Input Capture: Keylogging

Kimsuky has used a PowerShell-based keylogger.[1][9][7]

Enterprise T1557 Man-in-the-Middle

Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.[7]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Kimsuky has disguised services to appear as benign software or related to operating system functions.[7]

Enterprise T1112 Modify Registry

Kimsuky has modified Registry settings for default file associations to enable the opening of malicious documents.[7][10]

Enterprise T1040 Network Sniffing

Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.[7]

Enterprise T1027 Obfuscated Files or Information

Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.[5][8]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Kimsuky has used ProcDump to dump credentials.[7]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.[4][9][5][8][3]

.002 Phishing: Spearphishing Link

Kimsuky has used an email containing a link to a document that contained malicious macros.[1]

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Kimsuky has used links in e-mail to steal account information.[8]

Enterprise T1055 Process Injection

Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.[9]

Enterprise T1219 Remote Access Software

Kimsuky has used a modified TeamViewer client as a command and control channel.[9][10]

Enterprise T1505 .003 Server Software Component: Web Shell

Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.[7]

Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

Kimsuky has used mshta.exe to run malicious scripts on the system.[1][7][10]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Kimsuky has signed files with the name EGIS CO,. Ltd..[5]

Enterprise T1082 System Information Discovery

Kimsuky has gathered information about the infected computer.[9]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Kimsuky has used pass the hash for authentication to remote access software used in C2.[7]

Enterprise T1204 .002 User Execution: Malicious File

Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.[5][8][7][3]

Software

ID Name References Techniques
S0414 BabyShark [7][3][10] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0527 CSPY Downloader [3] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Modify Registry, Obfuscated Files or Information: Software Packing, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, User Execution: Malicious File, Virtualization/Sandbox Evasion: System Checks
S0526 KGH_SPY [3] Application Layer Protocol: Web Protocols, Boot or Logon Initialization Scripts: Logon Script (Windows), Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Email Collection: Local Email Collection, Exfiltration Over C2 Channel, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Software Discovery, System Information Discovery, User Execution: Malicious File
S0353 NOKKI [10] Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Credential API Hooking, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0111 schtasks [3] Scheduled Task/Job: Scheduled Task

References