A North Korean hacker gang has been targeting South Korean think tanks with malware-laced blog posts. The state-sponsored advanced persistent threat (APT) organization has been trying to place monitoring and theft-based malware on target devices in a new campaign that has been followed since June 2021.
The Kimsuky APT, also known as Thallium or Black Banshee, was blamed for the wave of cyberattacks by Cisco Talos researchers on Wednesday. During such attacks, malicious Blogspot content is used to entice South Korean think tanks working on political, diplomatic, and military issues involving North Korea, China, Russia, and the United States. Geopolitical and aeronautical companies, in particular, seem to be on the APT’s radar.
In 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) published an alert on the APT, stating that the North Korean government has tasked the state-sponsored organization with “global intelligence collection.” South Korea, Japan, and the United States have all had previous victims.
Compensation forms, surveys, and research documents attached to emails have been used as phishing lures in the past, according to AhnLab, and fraudulent Microsoft Office documents are still a primary attack vector in the Talos-detected campaign. Malicious VBA macros are usually included in documents, and when activated, they download payloads from Blogspot.
The blogposts, according to the researchers, contain three types of malware based on the Gold Dragon/Brave Prince malware family: initial beacons, file stealers, and implant deployment scripts, the latter of which is designed to infect endpoints and launch additional malware components such as a keylogger, information stealer, and a file injector module for website login credential theft.
While some APTs would attempt to steal whatever data they can from an infected computer, Kimsuky has taken a different strategy. Instead, the threat actors will look for data that are of special interest to them.
It covers data on North Korea, denuclearization, US-China-Russia ties, rocket designs, aviation fuel research, fluid mechanics, and material science, among other topics. Google was notified of the researchers’ findings, and the malicious blog post has subsequently been deleted. However, Kimsuky’s actions are unlikely to be halted as a result of this.