Rewterz Threat Alert – Kimsuky APT Uses Backdoor Attacks on South Korean Research Institutes – Active IOCs

Severity

High

Analysis Summary

The North Korean state-backed threat group known as Kimsuky is targeting research institutes in South Korea with spear-phishing to infect the target systems with backdoor trojans and ultimately execute commands for stealing sensitive data.

The attack chain starts with a lure for import declaration, which is a malicious JSE file with an obfuscated PowerShell script, a decoy PDF document, and a Base64-encoded payload. The PDF file serves as a diversion while the PowerShell script is executed in the background so it can launch the backdoor.

“A legitimate PDF file is saved under the file name ‘Import Declaration.PDF’ and automatically executed by the PowerShell script. This file contains the attack target’s information,” the researchers said.

The malware is designed to harvest network information and other sensitive data like the username, hostname, and operating system information, then it is transferred after being encoded to the remote server. It can also run commands, terminate itself, and execute additional payloads.

Kimsuky has been active since at least 2012 and it mainly targeted South Korean government organizations, individuals, and think tanks, but has now expanded to Russia, Europe, and the U.S. Earlier this month, the U.S. Treasury sanctioned Kimsuky because of its involvement in supporting North Korea’s strategic objectives by gathering intelligence. The APT group has also been seen utilizing malicious URLs that download ZIP archives pretending to be an update for the Chrome browser.

The development comes as researchers discovered another notorious North Korean threat actor Lazarus carrying out a large-scale phishing campaign using Telegram to target the cryptocurrency sector. The cybercriminal group has evolved its tactics by posing as investment institutions to send out phishing emails, deceiving the targets into downloading a malicious script.

Lazarus group’s sub-cluster called Andariel is also launching campaigns to steal technical information regarding anti-aircraft weapon systems from defense companies and sending the money earned from ransoms back to North Korea. Security analysts estimate that more than 250 files of about 1.2 terabytes have been stolen in these attacks.

Impact

• Sensitive Information Theft
• Cyber Espionage
• Financial Loss

Indicators of Compromise

MD5

• d2335df6d17fc7c2a5d0583423e39ff8
• d6abeeb469e2417bbcd3c122c06ba099

SHA-256

• b1361b67025b44a86af61c1863c98fb90b810d2bef6820b6aba7ffc1dc298546
• 97df5304f53fec6a5d2d2bd75b9310a3747b681520fe45d2961bc4df86e556d7

SHA-1

• fa3fa48f0666d638fbcec65c91f60bff7738dab3
• 8052806a4c92bad7ef242256106f38c67ff3f17d

URL

• http://rscnode.dothome.co.kr/index.php
• http://rscnode.dothome.co.kr/upload.php

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• it is also recommended that individuals and organizations use secure and encrypted communication channels, such as VPNs and encrypted email when transmitting sensitive information.
• Additionally, the use of multi-factor authentication can help to reduce the risk of sensitive information being stolen by attackers.