North Korea-linked Kimsuky APT has surfaced with a new campaign, dubbed GoldDragon. It has been targeting multiple South Korean entities since earlier this year.

Diving into details

  • The threat actor targeted South Korean think tanks, university professors, and government organizations. However, it’s not limited to that; it has targeted entities in the U.S. and Europe as well.
  • The infection is initiated by a spear-phishing email with a weaponized Word document.
  • The ultimate stage involves deploying a Windows infostealer that can steal user keystrokes and web browser credentials. 

C2 infrastructure

  • Kimsuky configured multi-stage C2 servers with multiple commercial hosting services located worldwide.
  • The first stage server confirms that the incoming email address is a valid one and only delivers maldocs to certain addresses.
  • The second stage server is contacted when the document is opened.
  • Another C2 script generates a blog address on the basis of the victim’s IP address.
  • The threat group, furthermore, depends on various other processes to deliver its malicious payloads to the right target.

Why this matters

  • It is challenging to acquire next-stage payloads while analyzing a multi-stage infection chain.
  • Even if the researchers could connect with the C2 server to acquire the payload, it is difficult to get a pertinent response.

The bottom line

Kimsuky is one of the most prolific threat actors from North Korea and operates multiple clusters, of which GoldDragon is a frequently reported cluster. The group has been consistently evolving its TTPs and coming up with unique techniques to evade detection and disrupt analysis. 
Cyware Publisher