CyberWire Daily - The Kimsuky group from North Korea expands spyware, malware and infrastructure. [Research Saturday]
Episode Date: January 30, 2021Guest Yonatan Striem-Amit joins us from Cybereason to share their Nocturnus Team research into Kimsuky. The Cybereason Nocturnus Team has been tracking various North Korean threat actors, among them t...he cyber espionage group known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe. The research can be found here: Back to the Future: Inside the Kimsuky KGH Spyware Suite Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We encountered the malware during research for customer purposes, and as we started to
investigate what is this new malware and what is going on here.
That's Yonatan Stream Amit.
He's CTO and co-founder at Cyber Reason.
The research we're discussing today is titled Back to the Future, Inside the Kimsuki KGH Spyware Suite.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more
easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network,
continuously verifying every request based on identity and context, simplifying security
management with AI-powered automation, and detecting threats using AI to analyze over
500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We uncovered that A was part of the likely associated with Kimsuki,
so it's likely their activity,
and B, represents a new technology and new block of intelligence built by the Kimsuki team.
Well, let's go through the research together.
Can you start off by giving us a little of the background here?
What's some of the history when it comes to the Kimsuki group?
Absolutely. Kimsuki is a fascinating group.
Often considered to be officially working for the North Korean government or at the very least affiliated with them.
Their purpose is clearly political.
They've historically been targeting mostly actors,
mostly targets within the peninsula,
talking about everything from think tanks and South Korean officials and
similar groups relating to the South Korea and North Korea relationship.
So as we're tracking them over the last couple of years, we're seeing the Kamsuki group
transition from what originally was a very localized within the peninsula, looking at
political targets, whether these are human rights activists or
think tanks or South Korean institutions for defense analysis and education.
And we see them expanding their reach towards new targets that are serving political goals
for the North Korean government.
Everything from the global think tanks, human rights organization, and government research institutes, journalists
have covered the area, and recently also companies working on COVID-19 and COVID-related research.
Well, one of the things that you point out here in your research is the complexity of
their infrastructure.
Can you give us a description of what's going on when it comes to that aspect?
Can you give us a description of what's going on when it comes to that aspect?
Kimsuki is adopting a relatively complex modern infrastructure. Everything from creating fake websites across various entities, using compromised assets that have legitimate history, compromising them, using them as jump boxes in command and control centers.
Infrastructure from a code perspective.
and control centers, infrastructure from a code perspective,
software they developed that is able to become very complex and mature spy kits, what's known in the industry as RATs,
remote access toolkits, which basically give the operators
of those tools complete control of every machine they're hitting.
So it starts with a phishing campaign, most often delivered
as a form of document, an attachment to an email talking about political changes in the area or groups or talks in the area or, in this particular case, relationship with Japan and the Japanese prime minister,
hoping that victims will end up executing that document and exploiting the vulnerabilities inside to then take over their machines and start collecting data from their environments.
They are using infrastructure that is dedicated and has been registered as recently as early 2020.
So it's a very active campaign.
And using various techniques to try to hide and evade their detection across the assets that they may have access to.
hide and evade their detection across the assets that they may have access to.
Now, one of the things that you speak of here in your research is the way that they use anti-forensics.
You mentioned backdating or timestomping is how you refer to it.
Can you take us through some of that?
Absolutely.
One of the tricks they did here, which was interesting, is backdating the software or
timestomping the software.
So it appears to have been created many years ago, 2016, 2015, in that area.
The motivation for that is often to confuse researchers when they try to look at the sea of information
that they have available for them and trying to tell apart the wheat from the chaff and understand what's worthwhile, a lot of time, if something has been known and existing for a long time,
it's very likely it does not exhibit new behaviors.
This trick about timestamping is really their attempt to evade the researcher's attention,
thinking, oh, this is old and established.
We don't need a reason to read that.
However, when you start decomposing the other assets, whether it's code or servers on the internet
or new domains that they use for communication,
you quickly realize that all of them are relatively recent.
Late 2019 to the past couple of months in 2020,
you realize this is just an attempt to throw people out of their scent
and not the real creation of this malware.
the recent and not the real creation of this malware.
Now, they're using a malware suite that is called KGH.
What's going on with that?
I don't have an interesting insight on the name itself. The string KGH comes from within the malware itself.
So somebody in their build environment used the word KGH there.
We do see, due to some operational mistakes from their end,
that they have leaked a bit of information on how they're doing.
So the project that was used to build this is called KGH.
We know that because the malware itself,
the authors of the malware left some clues,
accidentally most likely, in the malware
that it was compiled within a spy framework.
And this is a KGA browser exploitation toolkit.
It's a part of a known toolkit for them.
The word KGH has been known and associated by North Korean and Kamsuki group in the past,
all the way from 2017 research by Unlab,
which is a great South Korean-centered research entity and vendor.
It's very likely that they've made a similar mistake of leaking that information on KGH multiple times.
And they're making use of Word documents as well?
Absolutely. One of the critical ways they deliver the malware is by sending phishing emails to their targets.
The phishing emails have subjects such as
interview with a North Korean defector.
This would have a relatively high activation rate
when they send it to various South Korean targets
as well as think tank globally.
If you had received an email,
if the North Korean-South Korean relationship
would have been something that you deeply care about, the think tank in the area, and you had received an email of a boutique interview, you are more likely to open this.
So the psychological element of this attack are targeting with phishing content that is generated towards those targets.
For example, for other targets, they used the interview with the prime minister of japan and there's a way to encourage people to open this data well take me through the various
functionalities that that they're installing here that the bits of software and there's a lot a lot
of different things that are in play here absolutely the the kgh spy and the Kimsuki kit we discovered here is a previously unknown kit that gives the operator basically unfettered control of your environment.
It starts with many of anti-Mauer evasion, so to get to execute what's known as a flawless Mauer, so it doesn't actually have to drop multiple items on the disk disk and evasively execute its code on the machine.
Once it's running, it is establishing connection back to the operator on the command and control channels
through various assets on the internet that they have already, ahead of time, taken control of
and gives the operators control of the environment.
That could be things like recording audio.
That could be things like stealing information from your browser, credentials, software. It includes recording your keys.
As you type passwords or addresses, they can steal those information, taking screenshots,
installing your software, and basically really doing anything as if they were physically sitting
in the computer right now on their own.
Now, another thing that you all have tracked here is a new downloader that you all have named C-Spy, I believe? Yes. So C-Spy, again, is able to, it's part of a modular approach to malware
authoring. What they send initially isn't the full malware. They only send a small beacon
whose purpose is,
once executed,
is to reach out
through the internet
and download the rest.
The purpose of this
has always been about
smaller delivery and evasion.
If this data is not executed,
nothing is lost for them.
But once it's executed,
it starts a cascading effect
of downloading more and more
content from the internet
in order to give
the operators of this malware more control. This is a common technique by malware
author, but shows a level of sophistication in building
new deployment capabilities for them.
It's kind of the way in which you can equate that to a
software vendor writing for you a very small installer as a beacon
that then goes back and understands
and downloads the rest of the payload.
And C-SPY itself has some anti-analysis techniques
built into it.
C-SPY itself has a few built-in technology,
evasion techniques into it, indeed.
It starts by actually using a signed certificate.
This appears to be a signed software.
Signed signatures use a lot of time in the industry
to verify authenticity of software.
However, in this particular case,
the certificate they used is by, of course,
a different company called EGIS,
which, of course, did not have anything to do
with the malware itself.
It was simply stolen from them
and then used to sign the malware as desecrated.
The certificate itself has been revoked,
which means it is known globally that this is stolen
and it no longer should be trusted.
However, many systems are not able to correctly qualify
and classify stolen signatures as being fake.
And that's one of the evasion techniques it's using.
The second is about the usual packing
hiding of data checking whether it's running on a virtual machine to sort analysis checking whether
the memory looks as though it's a running within a testing environment used by researchers
this content of the malware itself is encrypted so the software the c-spy software itself decrypts
itself as it's executing.
So the cursory look by anybody but a very experienced reverse engineer is unable to find all of this.
And any trace of this is being malicious.
All of these tricks are targeted towards both automated and automated analysis, thwarting automated analysis, but also making it very difficult for researchers to take them down or to really understand what's going on there.
So what are the take-homes for you? What are the things of note that people need to be aware of when it comes to Kim Suk-hee?
We're seeing Kim Suk-hee as a very active group, currently
working really towards political agendas within the
North Korean government. The operations that
they execute are meant to further what is right now top of mind for the political leadership in
the area. Unlike other North Korean groups who often dabble with financial related activities
in order to fund some operation, Kim Suk-hee looks to be purely an intelligence operation.
And as such, they're very capable.
They're increasing their sophistication, their abilities.
They're still relying on the tried and true methods
of entering through phishing
and entering through user mistakes to get access for it.
And therefore, the first thing, of course,
is to remember basic IT hygiene and training
around what do you open
and kind of not falling prey into all of those traps.
The other, of course, are adopting
a modern endpoint prevention, endpoint security style
that can be able to find, detect, and break
the Kumsuki attack tools and be pertinent.
Our thanks to Yonatan Stream Amit for joining us.
The research is titled Back to the Future Inside the Kemsuki KGH Spyware Suite.
We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives
and their families at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. And I'm Dave Bittner.
Thanks for listening.