Kimsuky APT Group

Initial Access: Spearphishing is Kimsuky's most common initial access vector. They craft highly targeted emails, often impersonating trusted sources or leveraging topics of interest to the recipient. These emails may contain malicious attachments (such as weaponized Office documents, HWP files, or CHM files) or links to credential-harvesting websites. They also use watering hole attacks, compromising websites frequented by their targets. One should always be aware of types of phishing attacks.

Execution: Kimsuky leverages various techniques for code execution. They frequently use command and scripting interpreters, including PowerShell, VBScript, and batch scripts. They exploit vulnerabilities in software like Microsoft Office and Hangul Word Processor. Malicious CHM (Compiled HTML Help) files have become a hallmark of recent Kimsuky campaigns.

Persistence: The group employs multiple persistence mechanisms to maintain access to compromised systems. These include creating new services, modifying registry keys (especially Run keys), using scheduled tasks, and installing malicious browser extensions. Understanding the Windows Registry is crucial for identifying these persistence mechanisms.

Privilege Escalation: Kimsuky utilizes techniques like process injection and exploits like Win7Elevate to gain elevated privileges on compromised systems. They are always looking for a privilege escalation attack.

Defense Evasion: They employ various techniques to evade detection, including obfuscating files and information (using Base64 encoding and custom encryption), deleting files after exfiltration, and modifying timestamps. They often use legitimate Windows tools like certutil for malicious purposes, a tactic known as "living off the land." This can also be done with polyglot files.

Credential Access: Kimsuky actively seeks to steal credentials. They use keyloggers (like the PowerShell-based MECHANICAL), memory dumping tools (like ProcDump), network sniffers (like Nirsoft SniffPass), and modified versions of legitimate tools like PHProxy to capture credentials. They also abuse malicious Chrome extensions to steal passwords and cookies.

Discovery: The group gathers extensive information about compromised systems and networks. They use built-in Windows commands like systeminfo, tasklist, and dir to collect system configurations, running processes, and file structures.

Collection: Kimsuky collects a variety of data, including keystrokes, clipboard data, system information, files, and emails. They often target documents related to their intelligence-gathering objectives.

Command and Control (C2): Kimsuky uses various C2 methods, including modified versions of legitimate remote access software (like TeamViewer), web shells, and custom protocols. They often leverage legitimate cloud services (like Dropbox) for C2 communication.

Exfiltration: The group exfiltrates stolen data through various channels, including email, custom protocols, and cloud storage services. They often encrypt data before exfiltration.

Initial Focus: South Korean government entities, think tanks, and individuals involved in Korean peninsula unification and national security issues.

Expanded Targeting: United States, Japan, Russia, Europe, and other parts of Asia.

Target Sectors:

DEEP#GOSU Campaign (2024): This campaign used multi-stage attacks via deceptive emails with malicious attachments. It employed TruRat, a remote access trojan, for keylogging, clipboard monitoring, and data exfiltration. Payloads were downloaded from legitimate cloud services.

German Missile Manufacturer Phishing Scam (2024): This campaign, used the same lure as the U.S. Defense contractors in the RandomQuery and xRAT attack.

U.S. Defense Contractors (2020): Spearphishing attacks with malicious attachments used RandomQuery and xRAT malware to compromise sensitive defense-related information.

Operation Stolen Pencil (2018-Present): Targets academic institutions with malicious Chrome extensions to steal credentials.

Foreign Ministries and Think Tanks Spearphishing Campaign (Late 2018): Used CVE-2017-0199 and deployed BabyShark malware. Targets included the UN Security Council, the US Department of State, and various think tanks.

2024 DMARC Exploitation: A joint advisory in 2024 highlighted Kimsuky's exploitation of improperly configured DNS DMARC policies to enhance social engineering attempts. They posed as academics, journalists, and experts, using compromised infrastructure and email accounts. It's important to know what is DMARC.

CHM File Exploitation: Recent campaigns have increasingly utilized CHM (Compiled HTML Help) files delivered within archives to bypass initial defenses and execute malicious code.

Email Security: Implement robust email security measures, including advanced threat protection, sandboxing, and email authentication protocols (SPF, DKIM, DMARC). Train users to identify and report phishing emails. Conduct regular phishing simulations. You need to understand Sender Policy Framework(SPF).

Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions with behavioral analysis and machine learning capabilities to detect and block malicious activity. Keep endpoint security software up-to-date.

Network Security: Implement network segmentation to limit lateral movement. Use firewalls, intrusion detection/prevention systems, and network traffic analysis tools to monitor for suspicious activity.

Vulnerability Management: Establish a robust vulnerability management program to identify and patch vulnerabilities in software and systems promptly. Prioritize patching of known vulnerabilities exploited by Kimsuky. Remediating found vulnerabilities is a very important process.

Multi-Factor Authentication (MFA): Enforce MFA for all critical systems and accounts, especially email and VPN access.

User Awareness Training: Regularly train users on cybersecurity best practices, including identifying phishing emails, safe browsing habits, and reporting suspicious activity.

Threat Intelligence: Leverage threat intelligence feeds and reports to stay informed about Kimsuky's latest TTPs, indicators of compromise (IOCs), and targeting patterns.

Incident Response: Develop and regularly test an incident response plan to ensure a swift and effective response to potential breaches. Having a CIRP is very important.

Regular Security Audits: Conduct security assessment, penetration tests and implement robust security configurations.

Disable Unnecessary Features: Disable or restrict features like macros in Microsoft Office and HWP, PowerShell, and other scripting languages if not required.