North Korean APT group Kimsuky, also known as Thallium, Black Banshee, and Velvet Chollim, has been found adopting new Tactics, Techniques, and Procedures (TTPs) as it continues to launch espionage attacks. Researches reveal that the notorious group has gone far beyond its usual tactics of employing social engineering, spear-phishing, and watering hole attacks to target its victims.  

A sneak peek at Kimsuky’s latest affair

  • It was in December 2020 that the Korean Internet & Security Agency (KISA) had provided a detailed analysis of the TTPs used by Kimsuky APT to target South Korean government agencies.
  • Following the trails of the report, Malwarebytes began monitoring the activities and spotted several phishing websites, malicious documents, and scripts.
  • The targets included the Ministry of Foreign Affairs, the Trade Minister, Deputy Consul General at Korean Consulate General, International Atomic Energy Agency (IAEA), and Ambassador of the Embassy of Sri Lanka to the State.
  • Apart from these, some known universities such as the Seoul National University, as well as companies such as Daishin were also the targets of the attacks.
  • In order to launch these attacks, the group had developed different phishing techniques to mimic Gmail, Hotmail, Microsoft Outlook, Nate, Daum, Naver, and Telegram, among others.
  • Prior to the launch of these attacks, Kimsuky did a thorough homework through Twitter. This enabled the group to prepare well-crafted spear-phishing emails that caused the download of the AppleSeed backdoor.

Another interesting observation

  • Another team of researchers investigating the activities of the threat actor indicates that the group is divided into two sub-groups.
  • Called CloudDragon and KimDragon, the sub-groups are different from each other based on their targets, malware used, and infrastructure.
  • However, both focus on South Korea as their primary target, in addition to the U.S.
  • Both are also involved in attacks against government agencies, education institutions, and research centers.
  • Besides this, CloudDragon has adopted a new phishing technique that allows attackers to auto-update content on malicious websites mimicking legitimate websites.

Final word

Kimsuky is not a new group but has adopted new methods to support its mission of collecting intelligence. Its adoption of supply chain attacks, cross-platform attacks, and new modifications in phishing campaigns indicates that the threat group is here to stay for a long time.

Cyware Publisher