Kimsuky APT Group Targeting Android Devices – Active IOCs

Severity

High

Analysis Summary

Kimsuky is a North Korean nation-state actor that has been active since 2012. It primarily targets South Korean government agencies and conducts espionage activities against targets in the United States and Japan. Kimsuky has dropped a custom backdoor which they are calling Gold Dragon. Kimsuky deploys Gold Dragon, a second-stage backdoor, after a file-less PowerShell-deploying first-stage attack is dropped. 

This group has the ability to put up phishing infrastructure that can effectively imitate well-known websites and fool users into entering their passwords. Kimsuky APT is also known by the names Thallium, Black Banshee, and Velvet Chollima. KISA (Korean Internet & Security Agency) published a full investigation of Kimsuky’s phishing infrastructure and TTPs used to attack South Korea in December 2020. To get Initial Access to victim networks, Kimsuky’s threat actors use a variety of spear phishing and social engineering techniques. This group is responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise, and other major campaigns like Operation Kabar Cobra(2019).

Kimsuky was observed using recently discovered mobile malware to target Android devices.
Researchers gave the malicious APKs the names FastFire, FastViewer, and FastSpy by including the word Fast in the package name and describing each one’s characteristics.

The Kimsuky group has been conducting constant attacks on mobile devices in order to steal the target’s information. Their sophisticated technique is Firebase, a standard service employed as the C&C server in FastFire. Furthermore, some attempts are being made to avoid detection by modifying Androspy, an open-source RAT.

Sophisticated attack vectors, similar to FastViewer, are utilized to attack specified targets, and existing open sources are being leveraged to produce high-performance variations such as FastSpy.

FastViewer and FastSpy were actually employed to attack South Koreans, and all three APKs.

The mobile targeting approach of the Kimsuky organisation is becoming more advanced, thus it is important to be cautious about sophisticated attacks aimed at Android smartphones or devices.

Impact

• Information theft and espionage
• Exposure of sensitive data

Indicators of Compromise

MD5

• 9b9c13234903dd0f27b139f3f2a46cad

SHA-256

• 6a350e114a7111453716482625cf5fc36bcf63be365bf8fd785234d51e1a9d34

SHA-1

• 39756bb57c958781cd1295075f7c24f1e8453429

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Maintain daily backups of all computer networks and servers.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
• Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.