North Korea-linked Kimsuky APT has surfaced with a new campaign, dubbed GoldDragon. It has been targeting multiple South Korean entities since earlier this year.
Diving into details
The threat actor targeted South Korean think tanks, university professors, and government organizations. However, it’s not limited to that; it has targeted entities in the U.S. and Europe as well.
The infection is initiated by a spear-phishing email with a weaponized Word document.
The ultimate stage involves deploying a Windows infostealer that can steal user keystrokes and web browser credentials.
Kimsuky configured multi-stage C2 servers with multiple commercial hosting services located worldwide.
The first stage server confirms that the incoming email address is a valid one and only delivers maldocs to certain addresses.
The second stage server is contacted when the document is opened.
Another C2 script generates a blog address on the basis of the victim’s IP address.
The threat group, furthermore, depends on various other processes to deliver its malicious payloads to the right target.
Why this matters
It is challenging to acquire next-stage payloads while analyzing a multi-stage infection chain.
Even if the researchers could connect with the C2 server to acquire the payload, it is difficult to get a pertinent response.
The bottom line
Kimsuky is one of the most prolific threat actors from North Korea and operates multiple clusters, of which GoldDragon is a frequently reported cluster. The group has been consistently evolving its TTPs and coming up with unique techniques to evade detection and disrupt analysis.