Threat Research: Kimsuky APT Spear Phishing Campaigns

Summary

North Korean advanced persistent threat (APT) actor, Kimsuky (a.k.a. TA406, Thallium, and Velvet Chollima) is leveraging several spear phishing campaigns to conduct cyber-espionage against diplomats, journalists, government agencies, university professors, and politicians. The German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) released a joint security advisory to warn nations of the new malicious phishing campaigns.

Attack Details:

Currently Kimsuky is casting their net wide and deploying several different phishing campaigns through different methods: interview offers, Microsoft OneNote, malicious Android apps, and a Chromium web browser extension.

Operation Dream Job was originally conducted in 2020 by a North Korean threat actor targeting victims applying for prominent defense and aerospace companies within the United States. While the current campaign has not been directly tied to Operation Dream Job it relies on the same techniques. Individuals are sent an email requesting they answer interview questions related to North Korean matters. If the victim accepts the interview, they are sent a password-protected file that once opened, downloads malicious malware. However, the file has a list of questions pertaining to North Korean matters making it difficult for victims to determine the malicious manner of the document.

The OneNote attachment is sent in an email that is related to the compensation or personal information of the victim. When the OneNote file is opened it prompts the victim to click on a Hangul Word Processor file that is concealing a malicious script. Once the script is clicked on the malicious VBS file is executed on the victim’s system. The malware can perform a variety of malicious behaviors based on the threat actor’s intentions.

The last campaign gains access to victims’ Google accounts through two attack methods. The first attack method relies on infecting Android phones through malicious apps on Google Play while the second attack method uses malicious Chromium web browser extensions. These phishing emails impersonate portal administrators and acquaintances of the victims and advise them to either download the Android app in the Google play store or download the Chromium-based browser extension. The downloads are malicious and grant Kimsuky full access to the victims Gmail and other applications on the Android smartphone.

Victimology:

Kimsuky has been operating since at least 2018 and originally targeted only South Korean organizations. As the APT group has advanced with tactics and techniques, they have expanded their targeting to include organizations within the European Union and the United States. The group’s targets have included military and government agencies and contractors, news and media groups, and Information and Technology (IT) organizations. This makes them a significant threat to both private and public institutions. Organizations should be vigilant and take appropriate security measures to defend against Kimsuky’s phishing attacks.

Conclusion

Due to recent confirmed cases of the Kimsuky group distributing malware in various forms such as Microsoft Compiled HTML Help (CHM), Link (LNK), and OneNote, which were previously distributed as Word files, users are strongly advised to exercise extra caution. These files are usually distributed via emails disguised as forms related to compensation or personal information, so users must practice caution when opening email attachments. Continued employee training and strengthening email security solutions to detect and stop threat actors before they can penetrate network perimeters are imperative to maintaining a healthy network.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: