Understanding the Context of Cyber Threats: Lessons from the Kimsuky Group Attack

Kimsuky is the most active cyber threat actor who consistently targets North Korean-related institutions, companies, media, academia, and other organization, even individuals. The technical part related to this article was released on the blog, and in this article, I will provide the summary of the attack’s characteristics and highlight important points for responding to such attacks.

Characteristics of GoldDragon cluster of Kimsuky group.

In early 2022, the Kimsuky group carried out a sophisticated cyber attack against defense, political, and North Korea-related individuals. The attack had a complicated infection process from the initial infection to exfiltration, and each stage shows the following characteristics:

Attack chain

There were several other characteristics as well:

1. Typically, it goes through a two-stage or more infection process. It can go through up to five stages or more. Eventually, it delivers the final payload to exfiltrate information.
2. Scripts with the same function are conveyed to the targets in various formats, including Word documents, HTML Applications, and CHM files.
3. Different malware, such as scripts designed to harvest information from infected hosts, are employed as required at different stages of the attack.
4. It also uses legitimate Google blog services for malicious payload hosting.
5. The final objectives of this attack is to gather sensitive information such as user keyboard input, login credentials/cookies stored in the web browser, and screenshots.

Example of full infection chain

Why it’s not easy to understand the overall process of recent cyber attacks.

It is a challenging task to understand the overall process of recent cyber attacks, as attackers tend to minimize the exposure of their tools. Likewise, it was daunting for me to gather and analyze the entire infection process of above case. The reasons for this are as follows:

1. It is difficult to find all the malware used at each stage of the attack. Even if the URL which the payload is downloaded is obtained, I can’t obtain the payload by just accessing the URL.
2. Even if some malware is identified, it is challenging to establish connections between each object, which makes it difficult to confirm the complete infection process.
3. Attackers also attempt to minimize unnecessary exposure of malware and infrastructure as much as possible.

I was fortunate to have the opportunity to analyze the data of the attacker’s C2 server and understand how they minimize their exposure. Throughout the entire infection process, the attacker’s server undergoes several verification steps:

1. Email address check: Upon the victim clicking on a link sent via spearphishing, the server receives the email address and verifies whether the email belongs to the intended target.
2. IP address check: If the email address check described above is successful, the server saves the client’s IP address and delivers the malicious document. If the check fails, the server delivers a legitimate document instead. Once the macro in the delivered malicious document is executed, the server checks to ensure that the client’s IP address matches the previously recorded (email link clicked) IP address.
3. Custom user-agent check: The script downloaded by the malicious document uses a User-agent name similar to Chrome, called “chnome,” and only delivers the next payloads when User-agent contains the string of “chnome.”.

Victim validation from server side

In this way, the attacker performs several verification steps on the server before delivering the next stage payload, effectively minimizing the exposure of their tools and delivering them only to the intended targets. As security technology advances, attackers are also striving to minimize their exposure and prolong the usage time of their infrastructure. As a result, it is significantly challenging to understand the entire attack process.

The significance full-context-based responses.

Despite the increasing complexity and modularity of attacks, comprehending the entire attack process remains crucial. Knowing how to repsond at each attack stage and expanding the defenses is essential.

At which stage of the attack are the threat actors allocating more of their resources? The following chart shows the number of discovered malware at each stage while researching about above Kimsuky’s campaign. There were 45 malware in the first stage, 32 in the second stage, and 4 in the final stage. The malware author spent a lot of time and effort on creating the malware in the first stage (weaponized documents delivered by email). The malware in the final stage, Windows executable format, is not easily discovered and can even be used for months or years. After successfully infecting the target in the first stage and gaining significant control over the host, the actor can implement measures to hinder the detection of the next stage malware, such as disabling the antivirus or altering security configurations.

Number of malware at each stage

Many security companies seems to be concentrating on the malware used in the initial stage of the attack, and the visibility of the malware in the final stage is relatively low. Consequently, the malware in the final stage remains less exposed and is challenging to detect by security solutions. As a result, attackers can conveniently reuse the final stage malware without much effort to evade detection.

As another example, the slide below shows malicious document files and the Visual Basic script they generate, which was employed by the Kimsuky group. The document file was created continuously and distributed based on various themes from May to November 2021. Nonetheless, the script file created by the document retained the same form and was employed for almost a year. If the focus was only on detecting the document file in the initial stage, it could result in scenario where it becomes undetectable at some point. Nevertheless, if there had been a detection plan for the script in the second stage, it would have been possible to detect the attack for a year. That’s why it is crucial to understand the whole attack process and have a response plan for each stage. In this scenario, the response plan for the first stage has short lifespan, while the response plan for the final stage has a longer lifespan.

Update cycle of Kimsuky’s malware at each stage

This is not a characteristic unique to the Kimsuky group. In the case of the BlueNoroff group, which primarily attacks the cryptocurrency industry, it can be seen that a large number of malicious codes are found in the initial stage. On the other hand, a very small number of malware is found in the final stage, and it is known to change very slowly. As illustrated in the chart below, a total of 62 malware were discovered in the first stage, out of which 42 were uploaded to VirusTotal. Conversely, only two Stealer malware, which are used to extract information in the final stage, were identified, and were not uploaded to VirusTotal. Many malware used in the first stage are discovered, and attackers tend to put more effort into creating their malicious program for the first stage. Therefore, if the defense only focuses on the first stage, it is inevitable that the defense will fail.

Number of discovered BlueNoroff malware at each stage

As cyberattacks become increasingly sophisticated and progress through many stages, relying on a mitigation plan that concentrates on only one stage is likely to be inadequate. Specifically, a response that solely concentrates on the initial stage of the attack is prone to failing short. To effectively defend against cyberattacks, it is essential to have a comprehensive understanding of the entire attack process and to develop measures that can detect and respond at each stage.