Rapid7, a leading cybersecurity firm, has released an in-depth report on the Kimsuky advanced persistent threat (APT) group, a North Korean state-sponsored actor. Known for targeting government, research, and think tank organizations globally, Kimsuky operates under North Korea’s Reconnaissance General Bureau (RGB). Despite moderate technical skills, Kimsuky excels in social engineering, often creating intricate personas to execute sophisticated phishing attacks.
Tactics, Techniques, and Procedures (TTPs)
Social Engineering Expertise
Kimsuky’s primary strength lies in its adept use of social engineering. The group constructs detailed backstories and engages in multiple email exchanges to build trust before attempting to phish their targets. This method has been extended to platforms like Facebook, highlighting their ability to adapt and leverage various communication channels.
Email Spoofing via Permissive DMARC Policies
Kimsuky exploits permissive Domain-based Message Authentication, Reporting & Conformance (DMARC) policies to spoof emails. By modifying email headers, they bypass security checks, appearing as legitimate organizations. This technique is particularly effective due to many organizations not enforcing DMARC policies.
Malware Delivery Methods
Kimsuky’s malware is typically delivered through LNK (shortcut) or CHM (Compiled HTML Help) files. LNK files download subsequent stages via public applications like Dropbox API, while CHM files exploit their capability to execute HTML and JavaScript code. Another emerging tactic involves using .msc files associated with Microsoft Management Console, masquerading as documents.
Targeted Sectors
Kimsuky primarily targets entities involved in nuclear policy or geopolitics, especially those related to North Korean interests. Their geographical focus includes South Korea, the United States, Japan, and various European countries. Common lures involve themes like payments, crypto regulations, and trusted installers with signed binaries.
Infrastructure and Persistence Techniques
Rapid7’s tracking reveals Kimsuky’s extensive use of numerous hosting providers and ASNs worldwide, frequently reusing IP addresses and similar domain names as their targets. They use free certificate services to enhance the legitimacy of their phishing sites.
For mailbox access, Kimsuky relies on valid credentials but also employs common persistence techniques such as run keys, services, scheduled tasks, and system binary proxy execution, often utilizing obfuscated PowerShell scripts.