Kaspersky uncovers details about active cyber-espionage campaign
Nearly 10 years since Kaspersky experts unmasked an active cyber-espionage campaign primarily targeting South Korean think-tanks, the state-sponsored group known as Kimsuky continues to show prolific updating of tools and tactics.
Kaspersky's senior expert revealed more of his findings, including the possibility of this Advanced Persistent Threat (APT) threat actor expanding its operations with its abundant capabilities.
Kimsuky, also known as Thallium, Black Banshee and Velvet Chollima, has been in Kaspersky's radar since 2013 and it is known to update its tools very quickly to hide its infrastructure and make it harder for security researchers and auto-analysis systems to acquire payloads.
Seongsu Park, Lead Security Researcher for Global Research and Analysis Team (GReAT) at Kaspersky, found that the notorious group has continuously configured multi-stage command and control servers (C2) with various commercial hosting services located around the world.
A command and control server is a server that helps a threat actor control their malware and send malicious commands to its members, regulate spyware, send payload, and more.
Park says, “From less than 100 C2 servers in 2019, Kimsuky now has 603 malicious command centres as of July this year which clearly suggests that the threat actor is posed to launch more attacks, possibly beyond the Korean peninsula.
"Its history suggests that government agencies, diplomatic entities, media, and even cryptocurrency businesses in APAC should be on high alert against this stealthy threat."
The skyrocketing number of C2 servers is part of Kimsuky’s continuous operations in APAC and beyond. In early 2022, Kaspersky’s team of experts observed another wave of attacks targeting journalists and diplomatic and academic entities in South Korea.
Dubbed as the GoldDragon cluster, the threat actor initiated the infection chain by sending a spearphishing email containing a macro-embedded Word document. Various examples of different Word documents used for this new attack were uncovered, each showing different decoy contents related to geopolitical issues in the Korean Peninsula.
Further analysis allowed Park to discover server-side scripts related to the GoldDragon cluster, which allowed the experts to map the group's C2 operation.
The actor sends a spear-phishing email to the potential victim to download additional documents. If the victim clicks the link, it results in a connection to the first stage C2 server, with an email address as parameter.
The first stage C2 server verifies the incoming email address parameter is an expected one and delivers the malicious document if it's in the target list. The first stage script also forwards the victim's IP address to the next stage server.
When the fetched document is opened, it connects to the second C2 server. The corresponding script on the second C2 server checks the IP address forwarded from the first stage server to check if it's an expected request from the same victim.
Using this IP validation scheme, the actor verifies whether the incoming request is from the victim or not. On top of that, the operator relies on several other processes to carefully deliver the next payload such as checking OS type and predefined user-agent strings.
Park says, “Another notable technique Kimsuky utilises is the use of verification process of the client to confirm its relevant victim they want to compromise. Kaspersky experts even saw contents of decoy documents having various topics including the agenda of the 2022 Asian Leadership Conference, a form of honorarium request, and an Australian diplomats curriculum vitae.
"We've seen that the Kimsuky group continuously evolves malware infection schemes and adopts novel techniques to hinder analysis. The difficulty in tracking this group is that it's tough to acquire a full-infection chain. As we can see from this research, most recently, threat actors adopt victim verification methodology in their command and control servers.
"Despite the difficulty of getting server-side objects, if we analyse an attacker's server and malware from the victims side, we can fully understand how the threat actors operate their infrastructure and what kind of techniques they employ."
To protect systems and networks from Kimsuky's clandestine tactics and techniques, Kaspersky experts suggest:
- Full-context based defence is the key
- Hit-and-run style defence never works
- To understand the full-context of threats, it is advised to have services that provide in-depth and real-time reports and analysis
- Diversify defence points
- Cooperation with other industry
- Each sector has different sets of strength and expertise
- Cooperation is essential to understand multidimension of cyber threats in turn allowing better strategies against them