Author: Nathan Toporek<\/p>\n
TLP:WHITE<\/p>\n
On October 27, 2020 the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the US Cyber Command Cyber National Mission Force (CNMF) published a joint report summarizing multiple OSINT publications that identifies several tactics, techniques, and procedures (TTPs) associated with the North Korean advanced persistent threat group (APT) Kimsuki.1<\/sup> Kimsuki used these TTPs to gather intelligence on behalf of the North Korean government.<\/p>\n The US Government refers to all malicious cyber activity from the North Korean Government as “HIDDEN COBRA.”<\/p>\n The joint report found that Kimsuki has likely been active since 2012, and is likely tasked by the North Korean government with gathering intelligence on a global scale. Kimsuki uses social engineering tactics like spearphishing and watering hole attacks against victims; however, they are most likely to use spearphishing to gain initial access. Their past operations targeted experts, think tanks, and South Korean government groups using lures about foreign political issues, nuclear policy, and sanctions. The report details multiple Kimsuki TTPs, from initial access to exfiltration, each summarized below.<\/p>\n Kimsuki commonly uses spearphishing campaigns to gain initial access. The themes for campaigns often have to do with setting up a Skype interview with the victim where they appear on a television show. The first several emails may not contain malicious attachments, in an effort to build trust. At some point Kimsuki will deliver a malicious payload, and then cancel the interview. Other lures have included topics related to current events or issues of popular interest.<\/p>\n Kimsuki uses the Visual Basic malware family Babyshark to perform command execution via Windows PowerShell.2<\/sup><\/p>\n Kimsuki achieves persistence via malicious browser extensions, augmenting system processes, leveraging the autostart program, using the remote desktop protocol (RDP), and changing files associated with various applications.<\/p>\n Kimsuki performs privilege escalation by editing startup programs, changing file associations, and process injection. They have also used Metasploit’s “Win7Elevate” exploit to escalate privileges.<\/p>\n Kimsuki evades defenses by disabling the Windows firewall and disabling Windows security center service, deleting data after exfiltrating it to remove evidence, using trusted tools like mshta.exe to execute malicious JavaScript or Visual Basic script (VBS) files, and leveraging Metasploit’s “Win7Elevate” exploit yet again to inject code into the Internet Explorer process.<\/p>\n Kimsuki accesses victim credentials with malicious Chrome browser extensions, Windows’ ProcDump<\/em> tool, a PowerShell-based keylogger named MECHANICAL<\/em>, and specially-tailored versions of PHProxy<\/em> (an open-source, PHP-based web proxy).<\/p>\n Kimsuki appears to rely on native operating system commands to gather system information, which they likely exfiltrate to a command and control (C&C) server.<\/p>\n Kimsuki collects victim information via a malicious Hangul Word Processor (HWP) executable, keyloggers, and a Mac OS-specific Python tool designed to infect Mac OS systems. The HWP malware will email the contents of HWP files to actors prior to opening them for the user via a legitimate word processor.<\/p>\n Kimsuki performs C&C via a modified TeamViewer client that disables the firewall and configures several Windows registry keys that affect how the client connects to the server. At another time, Kimsuki will execute this malicious client.<\/p>\n Kimsuki exfiltrates data by encrypting data and emailing it to C&C servers.<\/p>\n CISA, the FBI, and CNMF recommend that users and organizations in Kimsuki’s target profile implement protections against spearphishing, enable multi-factor authentication, and train users on phishing awareness.<\/p>\n The joint report provided multiple domains, and URL paths associated with the Kimsuki APT group.<\/p>\n2. Analysis<\/h3>\n
\u00a0 \u00a0 \u00a02.1. Initial Access (TA0001)<\/h4>\n
\u00a0 \u00a0 \u00a02.2. Execution (TA0002)<\/h4>\n
\u00a0 \u00a0 \u00a02.3. Persistence (TA0003)<\/h4>\n
\u00a0 \u00a0 \u00a02.4. Privilege Escalation (TA0004)<\/h4>\n
\u00a0 \u00a0 \u00a02.5. Defense Evasion (TA0005)<\/h4>\n
\u00a0 \u00a0 \u00a02.6. Credential Access (TA0006)<\/h4>\n
\u00a0 \u00a0 \u00a02.7. Discovery (TA0007)<\/h4>\n
\u00a0 \u00a0 \u00a02.8. Collection (TA0009)<\/h4>\n
\u00a0 \u00a0 \u00a02.9. Command and Control (TA0011)<\/h4>\n
\u00a0 \u00a0 \u00a02.10. Exfiltration (TA0010)<\/h4>\n
3. Prevention and Mitigation<\/h3>\n
4. Indicators of Compromise<\/h3>\n
\u00a0 \u00a0 \u00a04.1. Indicators<\/h4>\n