14 DAY TRIAL // Since 2012, a cybercriminal from North Korea has been behind a new espionage operation targeting high-level government officials connected to their southern counterparts. According to The Hacker News, the role was to install an Android and Windows backdoor to collect critical information.
Malwarebytes attributes the activities to a threat actor known as Kimsuky. The targeted entities include the Korea Internet and Security Agency (KISA), the Ministry of Foreign Affairs, the ambassador of the embassy of Sri Lanka, the International Atomic Energy Agency (IAEA) Nuclear Security Officer, the Deputy Consul General at Korean Consulate General in Hong Kong, Seoul National University, and Daishin Securities.
This is just the latest in a long line of surveillance activities directed at South Korea. Kimsuky (also known as Velvet Chollima, Black Banshee, and Thallium) is believed to be acting on behalf of North Korean. It has targeted South Korea in the past while spreading its victimology throughout the U.S., Russia, and numerous European countries.
The attacker was linked last November to a new modular spyware suite called KGH SPY that allows network reconnaissance, logging keystrokes, and stealing sensitive information, as well as a cloaked malware called CSPY Downloader designed to thwart analysis and download additional payloads.
Kimsuky uses popular phishing websites similar to Google, Outlook, and Telegram
Cybercriminal's attack architecture consists of a series of phishing websites that look like well-known sites such as Gmail, Outlook, and Telegram, with the goal of tricking victims into entering their credentials.
Malwarebytes researcher Hossein Jazi said that "This is one of the main methods used by this actor to collect email addresses that later will be used to send spear-phishing emails".
The goal of using social engineering as a core component of its operations is to distribute a malware dropper in the form of a ZIP archive file attached to the emails, that eventually leads to the delivery of an encrypted DLL payload known as AppleSeed, a backdoor that Kimusky has already used in 2019.
AppleSeed has all the characteristics of a typical backdoor, including the ability to record keystrokes, capture screenshots, collect documents with certain extensions (.txt,.ppt,.hwp,.pdf, and.doc), and capture data from removable media connected to the machine, that is then uploaded to a remote command-and-control server.