Self Assessment

APT PROFILE – KIMSUKY

Published On : 2024-09-12
Share :
APT PROFILE – KIMSUKY

Kimsuky is a North Korean hacking group identified as a moderately sophisticated cyber operator, active since at least 2018. This group primarily engages in espionage and financially motivated cybercrime to support its operations and align with the geopolitical interests of the North Korean government.

Alias:
Kimsuki APT43

Motivation:
Espionage

Target Technologies
Office Suites Software, Operating System, Web Application

Targeted Countries
South Korea, the United States, Japan, Vietnam, and European countries (particularly those with ties to NATO)

Recently Exploited Vulnerabilities by Kimsuky

CVE-2024-21338 CVE-2021-44228
CVE-2017-17215 CVE-2017-11882
CVE-2020-0787 CVE-2017-0199
CVE-2017-0144

Malware used by Kimsuky: RandomQuery, xRAT, Gold Dragon

MITRE ATT&CK Techniques used by Kimsuky

Reconnaissance Execution Defense Evasion Lateral Movement Discovery
T1594 T1053.005 T1027 T1550.002 T1016
T1593.001 T1059.003 T1562.001 T1021.001 T1518.001
T1593.002 T1059.001 T1112 T1534 T1057
T1591 T1204.001 T1036 T1012
T1589.002 T1059.006 T1055 Collection T1040
T1598.003 T1204.002 T1078.003 T1005 T1082
T1589.003 T1059.007 T1564.002 T1114.003 T1083
T1059.005 T1564.003 T1074.001 T1007
Resource Development T1562.004 T1114.002
T1587 Persistence T1218.005 T1560.001
T1585.002 T1505.003 T1218.011 T1560.003
T1583.006 T1543.003 T1218.010 T1056.001
T1608.001 T1176 T1036.005 T1557
T1583.004 T1133 T1027.002
T1588.002 T1078.003 T1553.002 Command and Control
T1584.001 T1098 T1550.002 T1071.001
T1588.005 T1053.005 T1036.004 T1102.002
T1587.001 T1136.001 T1140 T1219
T1583.001 T1547.001 T1070.004 T1071.003
T1586.002 T1546.001 T1070.006 T1071.002
T1585.001 T1055.012 T1105
Privilege Escalation
Initial Access T1543.003 Credential Access Exfiltration
T1133 T1055 T1111 T1567.002
T1566.001 T1078.003 T1555.003 T1041
T1078.003 T1053.005 T1552.001
T1566.002 T1547.001 T1040
T1190 T1546.001 T1003.001
T1055.012 T1056.001
T1557

Kimsuky’s Recent Campaign Highlights and Trends:

  • In a recent campaign, Kimsuky utilized a malicious Google Chrome extension called TRANSLATEXT to target South Korean academia. This extension is capable of stealing sensitive information, such as email addresses, usernames, passwords, and cookies, while also capturing browser screenshots. The group uploaded this extension to an attacker-controlled GitHub repository but removed it shortly after to minimize exposure.
  • In a recent campaign, Kimsuky has been observed deploying a new Linux backdoor named Gomir, a variant of the GoBear backdoor. This malware is delivered via trojanized software installers and features direct C2 communication, persistence mechanisms, and the ability to execute a wide range of commands on infected systems.
  • The Kimsuky group employs various social engineering tactics, including spear-phishing and watering hole attacks, to gain initial access to victim networks. They have also been known to create social media accounts to monitor potential targets and news trends relevant to their operations.