Nation-state actors affiliated with North Korea [2] [5] [6], specifically the advanced persistent threat group known as Kimsuky [2] [5] [6], have been using spear-phishing attacks for over a decade to target various entities. This has raised concerns about cybersecurity and the evasion of international sanctions.
Description
Kimsuky [1] [2] [3] [4] [5] [6], a North Korean-backed group [1] [3], has been active since 2013 [3]. Initially, they targeted South Korean research institutes and later a South Korean energy corporation in 2014 [3]. Over time, their operations expanded to other regions, including Russia, the United States [1], and European nations [1]. Their espionage campaigns involve spear-phishing attacks with malicious lure documents that deploy different malware families [2] [4], such as shortcut-type malware in LNK file format [1], JavaScript [1] [3], and malicious documents [1] [2] [4] [5].
One notable backdoor used by Kimsuky is AppleSeed [2] [5], which has been in use since May 2019 [5]. It has since been updated with an Android version and a new variant called AlphaSeed [2] [5], written in Golang [2] [4] [5]. AlphaSeed uses the Golang library chromedp for communication with the command-and-control server [2] [5], while AppleSeed relies on HTTP or SMTP protocols [2]. Evidence suggests that Kimsuky has been using AlphaSeed since October 2022 [5], sometimes alongside AppleSeed on the same target system [5].
Kimsuky has also been observed using Meterpreter and VNC malware like TightVNC and TinyNuke to gain control over compromised systems [2] [4]. They have recently switched from RDP to Chrome Remote Desktop for better control [3]. Additionally, North Korean actors have been using fraudulent online personas on LinkedIn and GitHub to obtain remote employment and generate revenue for the regime [2].
Conclusion
These attacks highlight North Korea’s efforts to evade international sanctions and profit from cyber schemes [2] [4]. The US government recently sanctioned Kimsuky for gathering intelligence to support North Korea’s strategic objectives [5]. The activity has been attributed to Kimsuky by South Korea-based cybersecurity company AhnLab.
Kimsuky’s consistent focus on South Korean users [1], along with their global expansion [1], poses a continuous challenge to cybersecurity [1]. It is crucial for organizations and individuals to remain vigilant against spear-phishing attacks and to implement robust cybersecurity measures to mitigate the risks posed by Kimsuky and similar threat actors.
References
[1] https://securityonline.info/appleseed-malware-the-evolving-threat-of-the-kimsuky-group/
[2] https://thehackernews.com/2023/12/kimsuky-hackers-deploying-appleseed.html
[3] https://cybersecuritynews.com/kimsuky-appleseed-malware/
[4] https://owasp.or.id/2023/12/29/kimsuky-hackers-deploying-appleseed-meterpreter-and-tinynuke-in-latest-attacks/
[5] https://www.redpacketsecurity.com/kimsuky-hackers-deploying-appleseed-meterpreter-and-tinynuke-in-latest-attacks/
[6] https://www.oitc.ca/alerts/kimsuky-hackers-deploying-appleseed-meterpreter-and-tinynuke-in-latest-attacks/
