A North Korean threat actor has been carrying out a campaign targeting South Korean officials since 2012, according to researchers.
According to Malwarebytes security firm, the attack was carried out by a threat actor known as Kimsuky APT, aka Velvet Chollima, Black Banshee, and Thallium. It was focused on various Korean entities, including the country’s Internet Security Agency, an officer at its nuclear watchdog International Atomic Energy Agency (IAEA), the Korea Internet and Security Agency (KISA), Ministry of Foreign Affairs, Ambassador of the Embassy of Sri Lanka to the State, Deputy Consul General at Korean Consulate General in Hong Kong, Seoul National University, and Daishin Securities.
These are just the latest efforts by Kimsuky that focused on South Korea’s institutions, part of the group’s campaign to destabilize the country. Largely believed to be operating on behalf of the North Korean regime, the APT has also expanded its victimology to include the U.S., Russia, and countries in Europe.
A major adversary used a modular spyware suite called KGH_SPY that can steal sensitive information and perform targeted attacks on networks. It has also used CSPY Downloader.
Kimsuky’s phishing infrastructure consists of numerous websites that mimic popular email clients like Gmail and Outlook, but also Telegram. These phishing sites then trick victims into providing their credentials.
“This is one of the main methods used by this actor to collect email addresses that later will be used to send spear-phishing emails,” Malwarebytes researcher Hossein Jazi said.
Kimusky’s social engineering group is mainly involved in distributing malware through email phishing. Its goal is to get a victim open a ZIP archive, which then leads to the deployment of malware called AppleSeed.
Aside from targeting Windows users, the actor also used an Android backdoor. It uses the same infrastructure as the AppleSeed backdoor.
“The Android backdoor can be considered as the mobile variant of the AppleSeed backdoor. It uses the same command patterns as the Windows one. Also, both Android and Windows backdoors have used the same infrastructure.”
AppleSeed is a powerful backdoor that can collect details about a machine’s activities, such as its keystrokes, collect documents with specific extensions, and take screenshots. It also collects data from removable media devices.
The malware’s operators call themselves “Thallium,” which is the term Microsoft gave to this nation-state hacking group.