Author: Nathan Toporek
TLP:WHITE
1. Executive Summary
On October 27, 2020 the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the US Cyber Command Cyber National Mission Force (CNMF) published a joint report summarizing multiple OSINT publications that identifies several tactics, techniques, and procedures (TTPs) associated with the North Korean advanced persistent threat group (APT) Kimsuki.1 Kimsuki used these TTPs to gather intelligence on behalf of the North Korean government.
The US Government refers to all malicious cyber activity from the North Korean Government as “HIDDEN COBRA.”
2. Analysis
The joint report found that Kimsuki has likely been active since 2012, and is likely tasked by the North Korean government with gathering intelligence on a global scale. Kimsuki uses social engineering tactics like spearphishing and watering hole attacks against victims; however, they are most likely to use spearphishing to gain initial access. Their past operations targeted experts, think tanks, and South Korean government groups using lures about foreign political issues, nuclear policy, and sanctions. The report details multiple Kimsuki TTPs, from initial access to exfiltration, each summarized below.
2.1. Initial Access (TA0001)
Kimsuki commonly uses spearphishing campaigns to gain initial access. The themes for campaigns often have to do with setting up a Skype interview with the victim where they appear on a television show. The first several emails may not contain malicious attachments, in an effort to build trust. At some point Kimsuki will deliver a malicious payload, and then cancel the interview. Other lures have included topics related to current events or issues of popular interest.
2.2. Execution (TA0002)
Kimsuki uses the Visual Basic malware family Babyshark to perform command execution via Windows PowerShell.2
2.3. Persistence (TA0003)
Kimsuki achieves persistence via malicious browser extensions, augmenting system processes, leveraging the autostart program, using the remote desktop protocol (RDP), and changing files associated with various applications.
2.4. Privilege Escalation (TA0004)
Kimsuki performs privilege escalation by editing startup programs, changing file associations, and process injection. They have also used Metasploit’s “Win7Elevate” exploit to escalate privileges.
2.5. Defense Evasion (TA0005)
Kimsuki evades defenses by disabling the Windows firewall and disabling Windows security center service, deleting data after exfiltrating it to remove evidence, using trusted tools like mshta.exe to execute malicious JavaScript or Visual Basic script (VBS) files, and leveraging Metasploit’s “Win7Elevate” exploit yet again to inject code into the Internet Explorer process.
2.6. Credential Access (TA0006)
Kimsuki accesses victim credentials with malicious Chrome browser extensions, Windows’ ProcDump tool, a PowerShell-based keylogger named MECHANICAL, and specially-tailored versions of PHProxy (an open-source, PHP-based web proxy).
2.7. Discovery (TA0007)
Kimsuki appears to rely on native operating system commands to gather system information, which they likely exfiltrate to a command and control (C&C) server.
2.8. Collection (TA0009)
Kimsuki collects victim information via a malicious Hangul Word Processor (HWP) executable, keyloggers, and a Mac OS-specific Python tool designed to infect Mac OS systems. The HWP malware will email the contents of HWP files to actors prior to opening them for the user via a legitimate word processor.
2.9. Command and Control (TA0011)
Kimsuki performs C&C via a modified TeamViewer client that disables the firewall and configures several Windows registry keys that affect how the client connects to the server. At another time, Kimsuki will execute this malicious client.
2.10. Exfiltration (TA0010)
Kimsuki exfiltrates data by encrypting data and emailing it to C&C servers.
3. Prevention and Mitigation
CISA, the FBI, and CNMF recommend that users and organizations in Kimsuki’s target profile implement protections against spearphishing, enable multi-factor authentication, and train users on phishing awareness.
4. Indicators of Compromise
The joint report provided multiple domains, and URL paths associated with the Kimsuki APT group.
4.1. Indicators
Indicator | Description |
account[.]daum[.]unikftc[.]kr account[.]daum[.]unikortv[.]com account[.]daurn[.]pe[.]hu amberalexander[.]ghtdev[.]com amberalexander[.]ghtdev[.]com beyondparallel[.]sslport[.]work bigfile[.]pe[.]hu cdaum[.]pe[.]hu cloudmail[.]cloud cloudnaver[.]com coinone[.]co[.]in com-download[.]work com-option[.]work com-ssl[.]work com-sslnet[.]work com-vps[.]work comment[.]poulsen[.]work cooper[.]center csnaver[.]com daum[.]net[.]pl daum[.]unikortv[.]com daurn[.]org daurn[.]pe[.]hu demand[.]poulsen[.]work dept-dr[.]lab[.]hol[.]es desk-top[.]work downloadman06[.]com dubai-1[.]com eastsea[.]or[.]kr gloole[.]net help-navers[.]com help[.]unikoreas[.]kr helpnaver[.]com hogy[.]desk-top[.]work impression[.]poulsen[.]work intemet[.]work intranet[.]ohchr[.]accountprotect[.]work jonga[.]ml jp-ssl[.]work kooo[.]gq loadmanager07[.]com login[.]bignaver[.]com login[.]daum[.]kcrct[.]ml login[.]daum[.]netaccounts[.]info login[.]daum[.]unikortv[.]com login[.]outlook[.]kcrct[.]ml mail[.]unifsc[.]com mailsnaver[.]com member-authorize[.]com member[.]daum[.]uniex[.]kr member[.]daum[.]unikortv[.]com member[.]navier[.]pe[.]hu myaccount[.]nkaac[.]net myaccounts[.]gmail[.]krinfos[.]com myetherwallet[.]co[.]in myetherwallet[.]com[.]mx naver[.]co[.]in naver[.]com[.]cm naver[.]com[.]de naver[.]com[.]ec naver[.]com[.]mx naver[.]com[.]pl naver[.]com[.]se naver[.]cx naver[.]hol[.]es naver[.]koreagov[.]com naver[.]onegov[.]com naver[.]pw naver[.]unibok[.]kr naverdns[.]co net[.]tm[.]ro nid[.]naver[.]com[.]se nid[.]naver[.]corper[.]be nid[.]naver[.]onektx[.]com nid[.]naver[.]unibok[.]kr nid[.]naver[.]unicrefia[.]com nidlogin[.]naver[.]corper[.]be nidnaver[.]email nidnaver[.]net ns[.]onekorea[.]me nytimes[.]onekma[.]com org-vip[.]work preview[.]manage[.]orgview[.]work pro-navor[.]com read-hanmail[.]net read-naver[.]com read[.]tongilmoney[.]com resetprofile[.]com resultview[.]com riaver[.]site sankei[.]sslport[.]work securetymail[.]com servicenidnaver[.]com smtper[.]cz smtper[.]org sslport[.]work sslserver[.]work ssltop[.]work statement[.]poulsen[.]work sts[.]desk-top[.]work taplist[.]work tiosuaking[.]com top[.]naver[.]onekda[.]com usernaver[.]com view-hanmail[.]net view-naver[.]com vilene[.]desk-top[.]work vpstop[.]work webmain[.]work webuserinfo[.]com ww-naver[.]com |
C2 domains associated with Kimsuki |
/home/dwn[.]php?van=101
/home/dwn[.]php?v%20an=101 /home/dwn[.]php?van=102 /home/up[.]php?id=NQDPDE /test/Update[.]php?wShell=201 |
URL paths used by Kimsuki |
Endnotes
- “Joint Cybersecurity Advisory – US-Cert – CISA.” 27 Oct. 2020, https://us-cert.cisa.gov/sites/default/files/publications/TLP-WHITE_AA20-301A_North_Korean_APT_Focus_Kimsuky.pdf. Accessed 28 Oct. 2020.
- “BabyShark, Software S0414 | MITRE ATT&CK®.” 7 Oct. 2019, https://attack.mitre.org/software/S0414/. Accessed 29 Oct. 2020.