Kimsuky — a dangerous North Korean threat group that the Department of Homeland Security (DHS) last week warned is actively targeting US organizations — has acquired new tools for carrying out its cyber-espionage operations with greater stealth and precision.
Among those in its crosshairs are organizations in the pharmaceutical sector, research institutes, think tanks, and entities with a nexus to foreign policy and national security issues — including nuclear policy and sanctions — related to the Korean peninsula.
Cybereason, one of several security vendors that have been tracking Kimsuky over the past few years, this week said a new analysis shows the group has acquired previously undocumented capabilities that make it more potent.
Among them is a modular spyware suite dubbed KGH_SPY with multiple components for collecting sensitive data, to spy on users, execute arbitrary commands, plant backdoors, and carry out other malicious activities. One of KGH_SPY's components is an information stealer that can harvest data from browsers, Windows Credential Manager, WINSCP, and mail clients. At the time of writing the report, no antivirus vendor's products detected the component, Cybereason said. The Kimsuky group is also using another new tool called CSPY to evade malware detection tools and to determine if a system is safe for it to download additional malware.
"The newly discovered tool set appears to be very focused on information collection, likely to support [Kimsuky's] espionage efforts," says Assaf Dahan, senior director, head of threat research, at Cybereason.
The malware seems to be the newest addition to Kimsuky's arsenal and shows the manner in which the group has kept retiring older tools that either get exposed via security researchers or have become outdated, Dahan says.
Kimsuky — also tracked as Thallium, Velvet Chollima, and Black Banshee by various vendors — is a threat group that has been around since at least 2012. The US government and others have described it as being part of broader set of North Korea-sponsored malicious activity collectively referred to as "Hidden Cobra."
Over the years, Kimsuky has been associated with numerous attacks designed apparently to gather intelligence on topics of interest to Pyongyang. In that respect, the group is different from other North Korean groups, such as Lazarus, which have also conducted financially motivated attacks — like ransomware attacks, cryptomining, and online bank heists — to raise finances for the cash-strapped government.
Pharmaceuticals, Research Companies Being Targeted
Dahan says Kimsuky poses a particular threat to pharmaceutical and research companies working on COVID-19 vaccines and therapies, human rights groups, education and academic organizations, government research institutes, and journalists covering the Korean peninsula.
Last week, the FBI, the DHS's Cybersecurity and Infrastructure Agency (CISA) and US Cyber Command Cyber National Mission Force (CNMF) released a joint advisory with details on the group's tactics, techniques, and procedures.
The advisory warned of Kimsuky being actively engaged in a global intelligence-gathering campaign, most likely on behalf of the North Korean regime. It urged organizations that likely are of interest to the group to be on the lookout for watering-hole attacks, spear-phishing, and other social engineering tactics designed to attempt initial access on their networks.
In previous attacks, the group has been known to send benign emails to targets in an attempt to earn their trust, the advisory noted. Often the recipients are regarded as experts in their field. One tactic the group has used is for members to pose as South Korean reporters seeking to schedule an interview with a particular target on some matter pertinent to the Korean peninsula. Targets who fall for the scam subsequently have received email messages with a malicious attachment or as a Google Drive link in the body.
Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI, the alert said. "Give the activity the highest priority for enhanced mitigation," it noted.
Dahan says it's unclear what exactly might have prompted the advisory at this time. "Kimsuky is one of the most industrious threat groups operating in the current cyber-threat landscape," he says. "I can speculate that based on the increase in the group's activity that we have been seeing, targeting various industries worldwide and American interests, they might have found it timely to issue that threat report."