North Korean hackers target southern think tanks via blog posts
A North Korean hacking group has attacked think tanks in the South via malware-laden blog posts.
In a new campaign, followed since June 2021, the state-sponsored Advanced Persistent Threats (APT) group attempted to install surveillance-based and theft-based malware on victimized machines.
Cisco Talos researchers said on Wednesday that the Kimsuky APT, also known as Thallium or Black Banshee, is responsible for the wave of attacks, in which malicious Blogspot content is used to attract “South Korea-based think tanks whose research focuses on topics political, diplomatic and military matters concerning North Korea, China, Russia and the United States. ”
Specifically, geopolitical and aerospace organizations seem to be on the APT’s radar.
Kimsuky has been active since at least 2012. The US Agency for Cybersecurity and Infrastructure Security (CISA) has issued an advice (.PDF) on the APT in 2020, noting that the state-sponsored group is tasked by the North Korean government with “gathering global intelligence.” The former victims have been located in South Korea, Japan and the United States.
AhnLab says that claims forms, questionnaires and research papers attached to emails have been used in the past as phishing lures, and in the campaign detected by Talos, malicious Microsoft Office documents are still an attack vector main.
Typically, malicious VBA macros are included in documents and when triggered, download payloads from Blogspot.
According to the team, blog posts provide three types of malicious content based on the Golden dragonMalware / Brave Prince family: Initial beacons, file thieves, and implant deployment scripts, the latter designed to infect endpoints and launch other malicious components, including a keylogger, information thief, and a file injection module for the theft of login credentials to a website.
While some APTs try to steal all the content they can from an infected machine, Kimsuky has taken a different approach. Rather, threat actors will search for files that are of particular interest to them.
This includes content related to North Korea, denuclearization, US-China-Russia relations, as well as rocket design, aviation fuel research, fluid mechanics and materials science.
“The attackers knew exactly what files they were looking for,” commented Talos. “This indicates that attackers have a deep understanding of their targets’ endpoints, likely obtained from previous compromises.”
The researchers informed Google of their findings and the malicious content on the blog has since been removed. However, this is unlikely to stop Kimsuky’s activities.
“Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea,” the researchers said. “This group has relentlessly created new chains of infection to deliver different types of malware to their victims. Such targeted attacks can lead to the leaking of restricted searches, unauthorized access for spy purposes, and even attacks. destructive against target organizations. ”
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0