North Korea-linked Kimsuky APT has surfaced with a new campaign, dubbed GoldDragon. It has been targeting multiple South Korean entities since earlier this year.
Diving into details
- The threat actor targeted South Korean think tanks, university professors, and government organizations. However, it’s not limited to that; it has targeted entities in the U.S. and Europe as well.
- The infection is initiated by a spear-phishing email with a weaponized Word document.
- The ultimate stage involves deploying a Windows infostealer that can steal user keystrokes and web browser credentials.
C2 infrastructure
- Kimsuky configured multi-stage C2 servers with multiple commercial hosting services located worldwide.
- The first stage server confirms that the incoming email address is a valid one and only delivers maldocs to certain addresses.
- The second stage server is contacted when the document is opened.
- Another C2 script generates a blog address on the basis of the victim’s IP address.
- The threat group, furthermore, depends on various other processes to deliver its malicious payloads to the right target.
Why this matters
- It is challenging to acquire next-stage payloads while analyzing a multi-stage infection chain.
- Even if the researchers could connect with the C2 server to acquire the payload, it is difficult to get a pertinent response.
The bottom line
Kimsuky is one of the most prolific threat actors from North Korea and operates multiple clusters, of which GoldDragon is a frequently reported cluster. The group has been consistently evolving its TTPs and coming up with unique techniques to evade detection and disrupt analysis.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/92ad_shutterstock_1082882363.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/eb82_shutterstock_2021669558.jpeg)
