Thallium Hacker Targeted Users of Private Stock Investment Messenger

Recently, ESTsecurity Security Response Center (ESRC) reported that a North Korean hacking group dubbed Thallium (aka APT37 and Kimsuky) has started leveraging new techniques to prey on stock investors.

Thallium’s supply chain attacks

Thallium has been carrying out supply chain attacks by targeting a private stock investment messaging application to ship malicious code.
  • The group relied on shipping malicious Windows installers and macro-laden Office documents to target stock investors.
  • Thallium has developed a Windows executable using the Nullsoft Scriptable Install System (NSIS) that contains malicious code in addition to the legitimate files from a legitimate stock investment application program.
  • Moreover, hackers are now using the XSL Script Processing technique for spear-phishing and supply chain attacks.
  • After infecting a system and initial screening, the hackers attempt to deploy a RAT on the machine.

A backdrop into Thallium

Active since at least 2012, Thallium has expanded its targeting to countries including the United States, Russia, and various nations in Europe and entities such as pharma companies researching COVID-19 vaccines and therapies, UN Security Council, South Korean ministries, military and defense organizations, various education organizations, human rights groups, etc.

Other Thallium activities

  • In November, Cybereason Nocturnus uncovered a modular spyware suite dubbed KGH_SPY, another malware strain dubbed CSPY Downloader, and a new server infrastructure used by Kimsuky.
  • In October, the US-CERT had published an advisory summarizing Kimusky’s recent activities and describing the group’s TTPs and infrastructure, including the BabyShark malware.

Concluding note

With attackers regularly investing in their tactics and infrastructure in an effort to make a larger impact, organizations need to revamp their security posture as well to leverage threat intelligence to counter them in early stage.