Kimsuky
Associated Group Descriptions |
|
Name | Description |
---|---|
Black Banshee | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021) |
THALLIUM | (Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) |
APT43 | (Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) |
Emerald Sleet | (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Proofpoint TA427 April 2024) |
TA427 | (Citation: Proofpoint TA427 April 2024) |
Velvet Chollima | (Citation: Zdnet Kimsuky Dec 2018)(Citation: ThreatConnect Kimsuky September 2020)(Citation: Malwarebytes Kimsuky June 2021) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1098 | .007 | Account Manipulation: Additional Local or Domain Groups |
Kimsuky has added accounts to specific groups with |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Kimsuky has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges.(Citation: ThreatConnect Kimsuky September 2020)(Citation: Zdnet Kimsuky Group September 2020)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024) |
.004 | Acquire Infrastructure: Server |
Kimsuky has purchased hosting servers with virtual currency and prepaid cards.(Citation: KISA Operation Muzabi) |
||
.006 | Acquire Infrastructure: Web Services |
Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.(Citation: Talos Kimsuky Nov 2021) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Kimsuky has used HTTP GET and POST requests for C2.(Citation: Talos Kimsuky Nov 2021) |
.002 | Application Layer Protocol: File Transfer Protocols |
Kimsuky has used FTP to download additional malware to the target machine.(Citation: VirusBulletin Kimsuky October 2019) |
||
.003 | Application Layer Protocol: Mail Protocols |
Kimsuky has used e-mail to send exfiltrated data to C2 servers.(Citation: CISA AA20-301A Kimsuky) |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Kimsuky has used QuickZip to archive stolen files before exfiltration.(Citation: Talos Kimsuky Nov 2021) |
.003 | Archive Collected Data: Archive via Custom Method |
Kimsuky has used RC4 encryption before exfil.(Citation: Securelist Kimsuky Sept 2013) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Kimsuky has placed scripts in the startup folder for persistence and modified the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce` Registry key.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Kimsuky has executed a variety of PowerShell scripts including Invoke-Mimikatz.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Kimsuky has executed Windows commands by using `cmd` and running batch scripts.(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Kimsuky has used Visual Basic to download malicious payloads.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021) Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.(Citation: Talos Kimsuky Nov 2021) |
||
.006 | Command and Scripting Interpreter: Python |
Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.(Citation: CISA AA20-301A Kimsuky)(Citation: KISA Operation Muzabi) |
||
.007 | Command and Scripting Interpreter: JavaScript |
Kimsuky has used JScript for logging and downloading additional tools.(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky) |
||
Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
Kimsuky has compromised email accounts to send spearphishing e-mails.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021) |
Enterprise | T1584 | .001 | Compromise Infrastructure: Domains |
Kimsuky has compromised legitimate sites and used them to distribute malware.(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024) |
Enterprise | T1136 | .001 | Create Account: Local Account |
Kimsuky has created accounts with |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Kimsuky has created new services for persistence.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.(Citation: Zdnet Kimsuky Dec 2018)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Kimsuky has staged collected data files under |
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.(Citation: KISA Operation Muzabi)(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024) |
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.(Citation: KISA Operation Muzabi) |
.003 | Email Collection: Email Forwarding Rule |
Kimsuky has set auto-forward rules on victim's e-mail accounts.(Citation: CISA AA20-301A Kimsuky) |
||
Enterprise | T1585 | .001 | Establish Accounts: Social Media Accounts |
Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.(Citation: KISA Operation Muzabi) |
.002 | Establish Accounts: Email Accounts |
Kimsuky has created email accounts for phishing operations.(Citation: KISA Operation Muzabi)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024) |
||
Enterprise | T1546 | .001 | Event Triggered Execution: Change Default File Association |
Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.(Citation: Securelist Kimsuky Sept 2013) |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.(Citation: Talos Kimsuky Nov 2021) |
Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
Kimsuky has collected valid email addresses including personal accounts that were subsequently used for spearphishing and other forms of social engineering.(Citation: Malwarebytes Kimsuky June 2021)(Citation: Proofpoint TA427 April 2024) |
.003 | Gather Victim Identity Information: Employee Names |
Kimsuky has collected victim employee name information.(Citation: KISA Operation Muzabi) |
||
Enterprise | T1564 | .002 | Hide Artifacts: Hidden Users |
Kimsuky has run |
.003 | Hide Artifacts: Hidden Window |
Kimsuky has used an information gathering module that will hide an AV software window from the victim.(Citation: Talos Kimsuky Nov 2021) |
||
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021) |
.004 | Impair Defenses: Disable or Modify System Firewall |
Kimsuky has been observed disabling the system firewall.(Citation: Securelist Kimsuky Sept 2013) |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) |
.006 | Indicator Removal: Timestomp |
Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.(Citation: Cybereason Kimsuky November 2020) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.(Citation: EST Kimsuky April 2019)(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Kimsuky has disguised services to appear as benign software or related to operating system functions.(Citation: CISA AA20-301A Kimsuky) |
.005 | Masquerading: Match Legitimate Name or Location |
Kimsuky has renamed malware to legitimate names such as |
||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Kimsuky has gathered credentials using Mimikatz and ProcDump.(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi) |
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Kimsuky has packed malware with UPX.(Citation: Malwarebytes Kimsuky June 2021) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024) |
.005 | Obtain Capabilities: Exploits |
Kimsuky has obtained exploit code for various CVEs.(Citation: KISA Operation Muzabi) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.(Citation: Zdnet Kimsuky Dec 2018)(Citation: Securelist Kimsuky Sept 2013)(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) |
.002 | Phishing: Spearphishing Link |
Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.(Citation: EST Kimsuky April 2019)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi) |
||
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Kimsuky has used links in e-mail to steal account information including web beacons for target profiling.(Citation: VirusBulletin Kimsuky October 2019)(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)(Citation: Proofpoint TA427 April 2024) |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.(Citation: Talos Kimsuky Nov 2021) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Kimsuky has used RDP for direct remote point-and-click access.(Citation: Netscout Stolen Pencil Dec 2018) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Kimsuky has downloaded additional malware with scheduled tasks.(Citation: KISA Operation Muzabi) |
Enterprise | T1593 | .001 | Search Open Websites/Domains: Social Media |
Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.(Citation: Malwarebytes Kimsuky June 2021) |
.002 | Search Open Websites/Domains: Search Engines |
Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.(Citation: KISA Operation Muzabi) |
||
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding "Dinosaur" references within the code.(Citation: CISA AA20-301A Kimsuky) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Kimsuky has checked for the presence of antivirus software with |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
Kimsuky has used compromised and acquired infrastructure to host and deliver malware including Blogspot to host beacons, file exfiltrators, and implants.(Citation: Talos Kimsuky Nov 2021)(Citation: Mandiant APT43 March 2024) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Kimsuky has signed files with the name EGIS CO,. Ltd..(Citation: ThreatConnect Kimsuky September 2020) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Kimsuky has used mshta.exe to run malicious scripts on the system.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: KISA Operation Muzabi) |
.010 | System Binary Proxy Execution: Regsvr32 |
Kimsuky has executed malware with |
||
.011 | System Binary Proxy Execution: Rundll32 |
Kimsuky has used `rundll32.exe` to execute malicious scripts and malware on a victim's network.(Citation: Talos Kimsuky Nov 2021) |
||
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Kimsuky has used tools that are capable of obtaining credentials from saved mail.(Citation: Netscout Stolen Pencil Dec 2018) |
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Kimsuky has used pass the hash for authentication to remote access software used in C2.(Citation: CISA AA20-301A Kimsuky) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Kimsuky has lured victims into clicking malicious links.(Citation: KISA Operation Muzabi) |
.002 | User Execution: Malicious File |
Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: Talos Kimsuky Nov 2021) |
||
Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.(Citation: Netscout Stolen Pencil Dec 2018) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Kimsuky has used Blogspot pages for C2.(Citation: Talos Kimsuky Nov 2021) |
References
- Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
- Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
- ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
- Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024.
- ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
- Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
- CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
- Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
- AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021.
- ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.