Threat Alert:

Kimsuky

ORANGE_THREAT_ALERT_CR_ICONS-54

Threat Overview

BLOCKED_EXECUTABLE_CR_ICONS-32
Threat Type
MALWARE
IMPACTEDGEO_GLOBE2_CR_ICONS-31
TARGET INDUSTRIES
Pharmaceutical & Research, Government & Defense, Journalists & Human Rights Groups
REDUCE_FALSE_POSITIVES_CR_ICONS-18
Attack Goal
ESPIONAGE
PLATFORM3_CR_ICONS-03
Impacted GEO
U.S., Europe, Japan, South Korea & Russia

What's Happening?

The Cybereason Nocturnus Team has identified a newly discovered modular spyware suite dubbed KGH_SPY and a new malware strain dubbed CSPY Downloader. This is being employed in attacks by the cyber espionage group Kimsuky, which is believed to be operating on behalf of the North Korean regime. This APT group has been observed targeting a wide array of victims that include public and private sector companies in the U.S., Europe, Japan, South Korea, and Russia.

The target organizations include pharmaceutical and research companies working on COVID-19 therapies, government and defense organizations, journalists, and various human rights groups.

Read The Full Research

KEY OBSERVATIONS & TTPS

  • New Modular Spyware Suite: KGH_SPY is a modular suite of tools that provides the threat actors with reconnaissance, keylogging, information stealing and backdoor capabilities
  • Stealthy New Malware: CSPY Downloader is a tool designed to evade analysis and download additional payloads
  • New Infrastructure: Newly discovered infrastructure registered between 2019-2020 that overlaps with another Kimsuky’s malware called BabyShark that was used in the past to target US-based Think tanks.
  • Anti-Forensics: The creation/compilation timestamps of malware in the report appear to have been tampered with and backdated to 2016 in an attempt to thwart forensic investigation.
  • Behavioral and Code Similarities to Other Kimsuky Malware: The newly discovered malware shares various behavioral and code similarities to known Kimsuky malware, including: code signing with EGIS revoked certificate; shared strings; file naming convention; string decryption algorithms; PDB paths referencing authors / projects.
  • Undetected by Antivirus: At the time of writing this report, some of the mentioned tools are not detected by any antivirus vendors except Cybereason.
  • Previous Targets Include: Pharmaceutical/Research companies working on COVID-19 vaccines and therapies; UN Security Council; South Korean Ministry of Unification; Various Human Rights Organizations; Korea Institute for Defense Analysis; Various Education and Academic Organizations; Various Think Tanks; Government Research Institutes; Journalists covering Korean Peninsula relations; South Korean Military.
  • Read the full length research here.

Remediation Steps

TRAINING_REMEDIATE_DEPLOY_CONNECTIONS_CR_ICONS-15
Endpoint Protection

Disable macros and install an endpoint protection solution to help mitigate similar attacks.

FILELESS_RANSOMWARE_PREVENTION_CLOUD_CR_ICONS-05
Training

Consider social engineering awareness and training, which are key in preventing such attacks.

247PROTECTION_THREATHUNTING_CR_ICONS-19
Threat Hunting

Periodically proactively hunt in your environment for potential attacks on sensitive assets.

Prevented & Detected by the Cybereason Defense Platform

antivirus-01
Prevented & Detected by the Cybereason Defense Platform

CYBEREASON CUSTOMERS

We highly recommend every customer enable the following features:

  • The Cybereason Defense Platform was able to detect the preliminary stages of the attack and analyze and prevent the execution of the malicious ransomware payload.
  • If you do not have Cybereason NGAV activated, consider doing so to prevent against threats like these.
  • For Cybereason MDR customers, the Cybereason team will monitor and triage as well as assist in the mitigation of potential infections.

Suffered a Breach?

Talk to a Specialist