North Korean Hackers Found Behind a Range of Credential Theft Campaigns

Cyber Security

A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering.

Enterprise security firm Proofpoint attributed the infiltrations to a group it tracks as TA406, and by the wider threat intelligence community under the monikers Kimsuky (Kaspersky), Velvet Chollima (CrowdStrike), Thallium (Microsoft), Black Banshee (PwC), ITG16 (IBM), and the Konni Group (Cisco Talos).

Policy experts, journalists and nongovernmental organizations (NGOs) were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor’s tactics, techniques, and procedures (TTPs), with the attacks spread across North America, Russia, China, and South Korea.

Known to be operational as early as 2012, Kimsuky has since emerged as one of the most active advanced persistent threat (APT) group known for setting its sights on cyber espionage but also for conducting attacks for financial gain, targeting government entities, think tanks, and individuals identified as experts in various fields as well as harvest sensitive information pertaining to foreign policy and national security issues.

“Like other APT groups that constitute a big umbrella, Kimsuky contains several clusters: BabyShark, AppleSeed, Flower Power, and Gold Dragon,” Kaspersky researchers noted in their Q2 2021 APT trends report published last month. The AppleSeed sub-group is also referred to as TA408.

The group is also known for reeling in targets with convincing social engineering schemes and watering hole attacks before sending them malware-infected payloads or tricking them into submitting sensitive credentials to phishing sites, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a public alert issued in October 2020.

Earlier this month, researchers from Cisco Talos disclosed an ongoing Kimsuky campaign since June 2021 that was found leveraging malicious blogs hosted on Google’s Blogger platform to target high-value South Korean targets, including geopolitical and aerospace research agencies, with the goal of delivering a “constantly evolving set of implants derived from the Gold Dragon/Brave Prince family” that act as file exfiltrators, information gatherers, and credential stealers for reconnaissance, espionage, and credential harvesting.

“This campaign begins with malicious Microsoft Office documents (maldocs) containing macros being delivered to victims,” Talos researchers explained. “The infection chain results in the malware reaching out to malicious blogs set up by the attackers. These blogs provide the attackers the ability to update the malicious content posted in the blog depending on whether a victim is of value to the attackers.”

Now in what appears to be a further ramping up of attacks, the threat actor simultaneously commenced near-weekly email threat campaigns using the identities of legitimate policy experts, while featuring themes related to nuclear weapon safety, politics, and Korean foreign policy, ultimately luring the targeted individuals to give up their corporate credentials via a rogue URL embedded in the messages that redirect the victims to custom credential-harvesting pages.

Kimsuky’s phishing campaigns had a noticeable shift in March 2021 when the emails moved beyond credential theft to become a medium for distributing malware, coinciding with North Korea’s missile tests conducted later that month.

The emails included a link that sent the target to an attacker-controlled domain used to trick targets into downloading a compressed archive incorporating a binary, which is orchestrated to create a scheduled task that is executed every 15 minutes to install additional malware from a remote server. However, the ultimate motive behind the attacks remains unclear as no follow-on payloads were observed.

Another notable attack in June resulted in the deployment of a downloader (“FatBoy”) using an HTML attachment lure that was then used to retrieve a next-stage reconnaissance script capable of collecting “extensive information” about the targeted device. Proofpoint said that both the campaigns exhibited overlaps with attacks previously identified as mounted by the Konni Group.

Other notable tools in its malware arsenal encompass a Windows keylogger dubbed YoreKey, a number of rogue Android apps striking cryptocurrency users in South Korea, a deobfuscation service named Deioncube to decode files encrypted with ionCube‘s source code protection software, and a sextortion scam that urges email recipients to transfer an amount worth $500 in bitcoin to a valid wallet associated with a South Korea-based NGO.

“It’s unknown whether the NGO was compromised, and the donation message was placed on their website maliciously, or if there’s another explanation,” the researchers said. “As of June 2021, the associated bitcoin wallet had received and sent about 3.77 bitcoin.”