Home Security Researchers Uncover Kimusky Infra Focusing on South Korean Politicians and Diplomats

Researchers Uncover Kimusky Infra Focusing on South Korean Politicians and Diplomats

by crpt os


The North Korean nation-state group Kimusky has been linked to a new set of malicious activities directed against political and diplomatic entities located in its southern counterpart in early 2022.

Russian cybersecurity firm Kaspersky codenamed the cluster GoldDragon, with the infection chains leading to the deployment of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials.

Included among the potential victims are South Korean university professors, think tank researchers, and government officials.

CyberSecurity

Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is the name given to a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gain intelligence on various topics of interest to the regime.

Known to be operating since 2012, the group has a history of employing social engineering tactics, spear-phishing, and watering hole attacks to exfiltrate desired information from victims.

Late last month, cybersecurity firm Volexity attributed the actor to an intelligence gathering mission designed to siphon email content from Gmail and AOL via a malicious Chrome browser extension dubbed Sharpext.

The latest campaign follows a similar modus operandi wherein the attack sequence is initiated via spear-phishing messages containing macro-embedded Microsoft Word documents that purportedly feature content related to geopolitical issues in the region.

Kimusky North Korean Hackers

Alternative initial access routes are also said to take advantage of HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys to compromise the system.

Regardless of the method used, the initial access is followed by dropping a Visual Basic Script from a remote server that’s orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.

CyberSecurity

What’s novel about the attack is the transmission of the victim’s email address to the command-and-control (C2) server should the recipient click a link in the email to download additional documents. If the request doesn’t contain an expected email address, a benign document is returned.

To further complicate the kill chain, the first-stage C2 server forwards the victim’s IP address to another VBS server, which then compares it with an incoming request that’s generated after the target opens the lure document.

The “victim verification methodology” in the two C2 servers ensures that the VBScript is delivered only when the IP address checks are successful, indicating a highly targeted approach.

“The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis,” Kaspersky researcher Seongsu Park said. “The main difficulty in tracking this group is that it’s tough to acquire a full-infection chain.”





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex