North Korea-Linked Group Levels Multistage Cyberattack on South Korea

North Korea-linked threat group Kimsuky has adopted a longer, eight-stage attack chain that abuses legitimate cloud services and employs evasive malware to conduct cyber espionage and financial crimes against South Korean entities.

In a campaign dubbed "DEEP#GOSU," which is attributed to the group, the cyber-espionage operators were very much focused on a strategy of "living off the land," using commands to install a variety of .NET assemblies — legitimate code components for .NET applications — to create the foundation of the attacker's toolkit, researchers from Securonix wrote in a threat analysis today.

Kimsuky also used LNK files attached to emails, command scripts downloads from Dropbox, and code written in PowerShell and VBScript to conduct offensive operations.

While typical cyberattacks use five or fewer stages, the DEEP#GOSU campaign used eight. And though some of the tools could be detected by antivirus scanners and other defensive technologies, the attackers actively aimed to foil detection, says Oleg Kolesnikov, vice president of threat research at Securonix.

"There were many different components and payloads, and different payload components had different scanner detection rates," he says. "Since the attackers actively used evasion and disruption of security tool techniques — including shutting down security tools and adding payloads to exclusions, among others — the number of scanners detecting this was likely less relevant in this case."

The Kimsuky group — also known as APT43, Emerald Sleet, and Velvet Chollima — ramped up its activity in 2023, shifting to a greater focus on cryptocurrency in addition to its traditional focus on cyber espionage. Kimsuky is well known for its skilled spear-phishing, and not necessarily for its technical sophistication, but the latest attack demonstrated that the group has evolved somewhat, according to the analysis penned by three researchers at Securonix.

"The malware payloads ... represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint," the trio of researchers stated in their analysis. "Each stage was encrypted using AES and a common password and IV [initialization vector] which should minimize network, or flat file scanning detections."

Using Dropbox and Google to Evade Security Controls

The first stage of the attack executes when the user opens a LNK file attached to an email, which downloads PowerShell code from Dropbox. The code executed during the second stage downloads additional scripts from Dropbox and prompts the compromised system to install a remote access Trojan, the TutClient, at Stage 3.

The heavy use of Dropbox, and Google in later stages, helps avoid detection, Securonix's threat researchers stated in the analysis.

"All of the C2 communication is handled through legitimate services such as Dropbox or Google Docs allowing the malware to blend undetected into regular network traffic," they wrote. "Since these payloads were pulled from remote sources like Dropbox, it allowed the malware maintainers to dynamically update its functionalities or deploy additional modules without direct interaction with the system."

The later stages of the attack install a script that randomly executes in a matter of hours to help monitor and control systems and provide persistence. The final stage monitors user activity through logging keystrokes on the compromised system.

Multistage Attacks Highlight Defense in Depth

While detection rates for the initial stages of the attack ranged from 5% to 45% for host-based security, network security platforms may have a hard time detecting the later stages of the attacks because the Kimsuky threat actors use encrypted traffic, legitimate cloud file-transfer services, and downloaded .NET components.

The multipronged attack highlights the benefits of having multiple layers of defenses, Kolesnikov says.

"In our experience, in cases such as this, up-to-date antivirus may not be enough because the behaviors exhibited include disrupting and evading security tools," Kolesnikov says. "Our recommendation is for organizations to leverage defense-in-depth so as not to rely on any specific security tool alone."

Email security gateways, for example, would likely block the LNK file because of its massive 2.2MB size, compared with typical sizes measured in kilobytes, he says.