US-CERT- AA20-301A: North Korean Advanced Persistent Threat Focus: Kimsuky

Netwörkheäd · October 27, 2020, 06:12:14 PM

AA20-301A: North Korean Advanced Persistent Threat Focus: Kimsuky

[html]Original release date: October 27, 2020

Summary

This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the https://attack.mitre.org/versions/v7/techniques/enterprise/">ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group https://attack.mitre.org/groups/G0094/">Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://us-cert.cisa.gov/northkorea">https://www.us-cert.cisa.gov/northkorea.

This advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.

https://us-cert.cisa.gov/sites/default/files/publications/TLP-WHITE_AA20-301A_North_Korean_APT_Focus_Kimsuky.pdf">Click here for a PDF version of this report.

Key Findings

This advisory's key findings are:

The Kimsuky APT group has most likely been operating since 2012.

Kimsuky is most likely tasked by the North Korean regime with a global intelligence gathering mission.

Kimsuky employs common social engineering tactics, spearphishing, and watering hole attacks to exfiltrate desired information from victims.[https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">1],[https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">2]

Kimsuky is most likely to use spearphishing to gain initial access into victim hosts or networks.[https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">3]

Kimsuky conducts its intelligence collection activities against individuals and organizations in South Korea, Japan, and the United States.

Kimsuky focuses its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.

Kimsuky specifically targets:

- Individuals identified as experts in various fields,
- Think tanks, and
- South Korean government entities.[https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">4],[https://attack.mitre.org/groups/G0094/">5],[https://www.securityweek.com/north-korea-suspected-cyber-espionage-attacks-against-south-korean-entities">6],[https://attack.mitre.org/groups/G0094/">7],[https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf">8]

CISA, FBI, and CNMF recommend individuals and organizations within this target profile increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spearphishing, use of multi-factor authentication, and user awareness training.

Technical Details

Initial Access

Kimsuky uses various spearphishing and social engineering methods to obtain Initial Access [https://attack.mitre.org/tactics/TA0001/">TA0001] to victim networks.[https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/">9],[https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html">10],[https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf">11] Spearphishing—with a malicious attachment embedded in the email—is the most observed Kimsuky tactic (Phishing: Spearphishing Attachment [https://attack.mitre.org/versions/v7/techniques/T1566/001/">T1566.001]).[https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">12],[https://attack.mitre.org/groups/G0094/">13]

The APT group has used web hosting credentials—stolen from victims outside of their usual targets—to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail.[14]

Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link.
- Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The emails contained the subject line "Skype Interview requests of [Redacted TV Show] in Seoul," and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula.
- After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview.

Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews.[https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">15],[https://blog.malwarebytes.com/threat-analysis/2020/04/apts-and-covid-19-how-advanced-persistent-threats-use-the-coronavirus-as-a-lure/">16],[https://www.cyberscoop.com/north-korea-accelerate-commercial-espionage-meet-kims-economic-deadline/">17]

Kimsuky's other methods for obtaining initial access include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions (Phishing: Spearphising Link [https://attack.mitre.org/versions/v7/techniques/T1566/002/">T1566.002], Drive-by Compromise [https://attack.mitre.org/versions/v7/techniques/T1189/">T1189], Man-in-the-Browser [https://attack.mitre.org/versions/v7/techniques/T1185/">T1185]).[https://attack.mitre.org/groups/G0094/">18]

Execution

After obtaining initial access, Kimsuky uses https://attack.mitre.org/software/S0414/">BabyShark malware and PowerShell or the Windows Command Shell for Execution [https://attack.mitre.org/versions/v7/tactics/TA0002/">TA0002].

BabyShark is Visual Basic Script (VBS)-based malware.
- First, the compromised host system uses the native Microsoft Windows utility, mshta.exe, to download and execute an HTML application (HTA) file from a remote system (Signed Binary Proxy Execution: Mshta [https://attack.mitre.org/versions/v7/techniques/T1218/005/">T1218.005]).
- The HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.
- The script maintains Persistence [https://attack.mitre.org/versions/v7/tactics/TA0003/">TA0003] by creating a Registry key that runs on startup (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [https://attack.mitre.org/versions/v7/techniques/T1547/001/">T1547.001]).
- It then collects system information (System Information Discovery [https://attack.mitre.org/versions/v7/techniques/T1082">T1082]), sends it to the operator's command control (C2) servers, and awaits further commands.[https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">19],[https://attack.mitre.org/groups/G0094/">20],[https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">21],[https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/">22]

Open-source reporting indicates BabyShark is delivered via an email message containing a link or an attachment (see Initial Access section for more information) (Phishing: Spearphising Link [https://attack.mitre.org/versions/v7/techniques/T1566/002/">T1566.002], Phishing: Spearphishing Attachment [https://attack.mitre.org/versions/v7/techniques/T1566/001">T1566.001]). Kimsuky tailors email phishing messages to match its targets' interests. Observed targets have been U.S. think tanks and the global cryptocurrency industry.[https://cyware.com/news/babyshark-malware-continues-to-target-nuclear-and-cryptocurrency-industries-40e04829">23]

Kimsuky uses PowerShell to run executables from the internet without touching the physical hard disk on a computer by using the target's memory (Command and Scripting Interpreter: PowerShell [https://attack.mitre.org/versions/v7/techniques/T1059/001/">T1059.001]). PowerShell commands/scripts can be executed without invoking powershell.exe through HTA files or mshta.exe.[https://attack.mitre.org/groups/G0094/">24],[https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/">25],[https://www.mcafee.com/blogs/other-blogs/mcafee-labs/what-is-mshta-how-can-it-be-used-and-how-to-protect-against-it/">26],[https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">27]

Persistence

Kimsuky has demonstrated the ability to establish Persistence [https://attack.mitre.org/versions/v7/tactics/TA0003/">TA0003] through using malicious browser extensions, modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions.

In 2018, Kimsuky used an extension, which was available on the Google Chrome Web Store, to infect victims and steal passwords and cookies from their browsers (Man-in-the-Browser [https://attack.mitre.org/versions/v7/techniques/T1185/">T1185]). The extension's reviews gave it a five-star rating, however the text of the reviews applied to other extensions or was negative. The reviews were likely left by compromised Google+ accounts.[https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">28]

Kimsuky may install a new service that can execute at startup by using utilities to interact with services or by directly modifying the Registry keys (Boot or Logon Autostart Execution [https://attack.mitre.org/versions/v7/techniques/T1547">T1547]). The service name may be disguised with the name from a related operating system function or by masquerading as benign software. Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution.[https://attack.mitre.org/groups/G0094/">29],[https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/">30]

During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. GREASE is a tool capable of adding a Windows administrator account and enabling RDP while avoiding firewall rules (Remote Services: Remote Desktop Protocol [https://attack.mitre.org/versions/v7/techniques/T1021/001">T1021.001]).[https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia">31]

Kimsuky uses a document stealer module that changes the default program associated with Hangul Word Processor (HWP) documents (.hwp files) in the Registry (Event Triggered Execution: Change Default File Association [https://attack.mitre.org/versions/v7/techniques/T1546/001">T1546.001]). Kimsuky manipulates the default Registry setting to open a malicious program instead of the legitimate HWP program (HWP is a Korean word processor). The malware will read and email the content from HWP documents before the legitimate HWP program ultimately opens the document.[https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">32] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly.[33]

Kimsuky maintains access to compromised domains by uploading actor-modified versions of open-source Hypertext Processor (PHP)-based web shells; these web shells enable the APT actor to upload, download, and delete files and directories on the compromised domains (Server Software Component: Web Shell [https://attack.mitre.org/versions/v7/techniques/T505/003">T1505.003]). The actor often adds "Dinosaur" references within the modified web shell codes.[34]

Privilege Escalation

Kimsuky uses well-known methods for Privilege Escalation [https://attack.mitre.org/versions/v7/tactics/TA0004/">TA0004]. These methods include placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in explorer.exe.

Kimsuky has used Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account Control to inject malicious code into explorer.exe (Process Injection [https://attack.mitre.org/versions/v7/techniques/T1055/">T1055]). This malicious code decrypts its spying library—a collection of keystroke logging and remote control access tools and remote control download and execution tools—from resources, regardless of the victim's operating system. It then saves the decrypted file to a disk with a random but hardcoded name (e.g., dfe8b437dd7c417a6d.tmp) in the user's temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. This allows for the escalation of privileges.[https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">35]

Before the injection takes place, the malware sets the necessary privileges (see figure 1). The malware writes the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by creating a remote thread within explorer.exe (Process Injection [https://attack.mitre.org/versions/v7/techniques/T1055/">T1055]).[https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/">36]

Figure 1: Privileges set for the injection [https://yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/">37]

Defense Evasion

Kimsuky uses well-known and widely available methods for Defense Evasion [https://attack.mitre.org/versions/v7/tactics/TA0005/">TA0005] within a network. These methods include disabling security tools, deleting files, and using Metasploit.[https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">38],[https://attack.mitre.org/groups/G0094/">39]

Kimsuky's malicious DLL runs at startup to zero (i.e., turn off) the Windows firewall Registry keys (see figure 2). This disables the Windows system firewall and turns off the Windows Security Center service, which prevents the service from alerting the user about the disabled firewall (see figure 2) (Impair Defenses: Disable or Modify System Firewall [https://attack.mitre.org/versions/v7/techniques/T1562/004/">T1562.004]).[https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/">40]