Exposing the Steps of the Kimsuky APT Group

Kimsuky, also known as Black Banshee, is a North Korean cyber threat actor that has garnered significant attention in the cybersecurity community for its targeted and persistent espionage campaigns. Operating under the direction of the North Korean government, Kimsuky has been active since at least 2013, specializing in intelligence gathering and information theft. Its primary targets include organizations and individuals involved in political, economic, and military affairs, particularly in South Korea and other nations with strategic interests in the Korean Peninsula. In this blog, we are going to explain the origins of the Kimsuky APT, their notable attacks, and adversarial behavior observed in the wild. 

If you want to dive directly into the tactics, techniques, and procedures—supported by real-life command examples—used by the Kimsuky APT, scroll down to the respective section.

Origins and Affiliations of the North Korean Threat Actor Kimsuky 

Kimsuky, also known by aliases such as Velvet Chollima, Black Banshee, THALLIUM, and Emerald Sleet, is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. Initially, Kimsuky concentrated its cyber espionage efforts on South Korean government entities, think tanks, and experts in various fields. Over time, the group expanded its operations to target organizations in the United States, Japan, Russia, and Europe, including sectors like government, education, business services, and manufacturing. 

Kimsuky’s Malware Arsenal: RandomQuery, xRAT, Gold Dragon

Kimsuky has demonstrated a notable evolution in their cyber-espionage tactics and toolsets. Initially, their operations relied on basic social engineering and rudimentary malware. However, as global cybersecurity defenses advanced, Kimsuky adapted by refining their tools and techniques. They have utilized malware such as RandomQuery, xRAT, and Gold Dragon to infiltrate systems and exfiltrate sensitive data.

In recent campaigns, we are seeing that Kimsuky has combined open-source remote access tools like xRAT with their custom backdoor, Gold Dragon, to execute multi-stage attacks that are both stealthy and effective. xRAT enables keylogging, remote shell access, and file management, facilitating initial system compromise and data collection. Following this, Gold Dragon is deployed to establish persistence and carry out further exfiltration of information.

This strategic integration of commodity and custom malware highlights Kimsuky's adaptability and focus on geopolitical espionage. Unlike threat actors motivated by financial gain, Kimsuky’s operations emphasize intelligence gathering, particularly in politically sensitive contexts. Their ability to rapidly adjust to evolving defensive measures continues to make them a persistent and sophisticated threat in the cybersecurity landscape.

Notable Cyber Incidents & Victimology of Kimsuky APT Group

Below are some significant incidents attributed to Kimsuky, showcasing their methodologies and the impacts of their attacks.

Incident 1: DEEP#GOSU Campaign (2024)

In early 2024, the North Korean cyber-espionage group Kimsuky launched the DEEP#GOSU campaign, targeting Windows systems with a sophisticated, multi-stage attack [1]. The operation began with deceptive emails containing malicious attachments that, when opened, executed PowerShell and VBScript scripts. These scripts downloaded additional payloads from legitimate cloud services like Dropbox, including remote access trojans such as TruRat, enabling attackers to gain full control over compromised systems. 

The malware's capabilities encompassed keylogging, clipboard monitoring, and data exfiltration, all while employing advanced evasion techniques to blend into regular network traffic, making detection challenging.

Incident 2: U.S. Defense Contractors (2020)

In 2020, the North Korean cyber-espionage group Kimsuky targeted U.S. defense contractors to access sensitive military technologies and strategies. They employed spear-phishing campaigns, sending emails with malicious attachments to infiltrate networks. Once inside, they used malware such as RandomQuery and xRAT to establish control over compromised systems and exfiltrate data. This breach compromised sensitive defense-related information, potentially impacting national security and military readiness.

Analyzing Kimsuky's Advanced Tactics, Techniques, and Procedures (TTPs)

Kimsuky, a North Korean threat actor, has demonstrated a sophisticated array of tactics, techniques, and procedures (TTPs) that align with the MITRE ATT&CK framework. This section provides a comprehensive analysis of these TTPs, offering insights into how Kimsuky operates and the tools they employ.

Initial Access - ATT&CK TA0001

Spear Phishing Attachment - MITRE T1566.001

Kimsuky APT frequently uses spear phishing emails with malicious links & attachment to gain initial access to target systems. These emails often masquerade as legitimate communications from trusted sources, enticing recipients to open the attachments, which then execute malicious payloads. 

For instance, reported in early December, Kimsuky APT has been observed to launch a sophisticated spear phishing campaign aimed at credential theft by abusing legitimate email services like VK’s Mail.ru and compromised servers such as Evangelia University’s [3]. Initially targeting users in Japan and Korea, the attackers later shifted to spoofing Russian domains (e.g., mail.ru, bk.ru) to bypass security checks and appear credible. These emails often impersonated financial institutions or services like Naver’s MYBOX, using false urgency about malicious files to lure victims into clicking on phishing links. 

Employing tools like PHPMailer and Star, Kimsuky leveraged compromised infrastructure to deliver phishing messages, ultimately seeking to hijack accounts for follow-on attacks. Their techniques, including exploiting misconfigured DNS DMARC policies, highlight their expertise in evading detection through email-oriented social engineering.

Execution - ATT&CK TA0002

Command and Scripting Interpreter: Unix Shell (MITRE T1059.004) & Visual Code (MITRE T1059.005)

The provided script is written in Batch scripting, a scripting language used for automating tasks on Windows systems via the command prompt. Batch scripts execute commands in sequence and are commonly used for system maintenance, task scheduling, and automation.

This script appears to check for and potentially manipulate a scheduled task named "SafeBrowsing." If the task exists, it skips the creation step and proceeds with other actions. If the task does not exist, it creates a new scheduled task to run a file named emlmanager[.]vbs every two minutes. So, we also see the proof of T1059.005 Visual Code subtechnique being used here.

Additionally, the script checks for the presence of a file named 9583423[.]bat (see the Discovery section to see the content of the file), executes it if it exists, and then deletes it. Lastly, it calls two other batch files (4959032[.]bat and 5923924[.]bat) and uses a variable l to define a URL (hxxps://niscarea[.]com).

Command and Scripting Interpreter: PowerShell - MITRE T1059.001 

Kimsuky leverages PowerShell scripts to execute commands on compromised systems. This technique allows them to perform a variety of tasks, including downloading additional payloads and executing them without writing to disk, thus evading detection [5].

For instance, the following PowerShell command is used by Kimsuky APT to set up the connection to the C2 server with the right path.

Persistence - ATT&CK TA0003

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (MITRE T1547.001)

Kimsuky’s campaigns frequently involve the creation of a VBScript designed to gather detailed system information, including OS specifications, running processes, and directory contents. This collected data is then exfiltrated to a Command-and-Control (C2) server. To ensure persistence, the script’s execution path is added to the Windows Registry Run key, enabling it to automatically execute every time the user logs in.

Here's how it works:

Registry Run Key Modification

Kimsuky adds entries to the Windows Registry under paths like HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The following registry key modification command is taken from a script written by Kimsuky APT.

With this command, a new entry is created in the Windows Registry under the Run key for the current user (HKCU, which stands for HKEY_CURRENT_USER). This registry location is utilized by Windows to specify which programs should launch automatically during startup. The command ensures that the decoded VBScript executes each time the user logs in, establishing persistence on the compromised system.

Obfuscation and Concealment

To avoid detection, the added Registry entry often points to a file with a randomly generated or misleading name (e.g., a benign-sounding document or system-related file). The associated file (e.g., a VBScript) is typically Base64-encoded during deployment, making it harder for defenders to immediately recognize malicious content.

Living-Off-The-Land Tools

Kimsuky uses legitimate tools such as reg.exe to programmatically add or modify Registry keys. This approach minimizes the footprint of custom malware and takes advantage of trusted system utilities to bypass defenses.

Execution Flow

Upon system login, Windows checks the Run keys and executes the files or scripts referenced in those keys.Kimsuky leverages this mechanism to run their payloads stealthily, maintaining control of the infected system.

Privilege Escalation - TA0004

Process Injection - T1055

Kimsuky employs several sophisticated techniques for privilege escalation, leveraging well-known vulnerabilities and tools to gain elevated access and maintain persistence on compromised systems. One notable approach is the use of the Win7Elevate exploit from the Metasploit framework. This exploit bypasses User Account Control (UAC), enabling malicious code injection into the explorer.exe process, a trusted and continuously running Windows process. This method not only ensures stealth but also allows the malware to inherit higher privileges indirectly.

After injecting malicious code into explorer.exe, the malware decrypts its payload—a set of spying tools including keyloggers and remote access utilities. This payload is dynamically extracted from the malware’s resources, regardless of the victim’s operating system. The decrypted file is then saved to the disk using a random but hardcoded name, such as dfe8b437dd7c417a6d[.]tmp, and stored in the user’s temporary folder. This ensures persistence even after a system reboot.

To complete the injection, the malware configures necessary privileges and writes the path to the malicious Dynamic Link Library (DLL). It then creates a remote thread within the explorer[.]exe process to load and execute the DLL. This clever use of Process Injection (T1055) provides both stealth and privilege escalation, making it challenging for defenders to detect and mitigate.

Defense Evasion - ATT&CK TA0005

Obfuscated Files or Information - MITRE T1027

The group employs obfuscation techniques to hide the true nature of their malware. This includes encoding scripts and using packers to compress and encrypt payloads, making them harder to detect by antivirus solutions [3].

The command begins by echoing an obfuscated Base64 string to a file and then decodes it using the certutil tool, a legitimate Windows utility.

The decoded text is as the following:

The deobfuscated string enables Kimsuky to establish communication with a C2 server, allowing the group to download and execute additional malicious payloads dynamically. This functionality gives them flexibility to adapt their attacks, deploying tools such as keyloggers or data exfiltration scripts as needed. By using the Execute function to run code directly from the C2, Kimsuky achieves stealth and avoids leaving static malicious files on the system, aligning with their focus on targeted espionage and long-term persistence.

Credential Access - ATT&CK TA0006

Credential Dumping - MITRE T1003

Kimsuky employs various techniques for credential access, leveraging legitimate tools and methods to evade detection. They use memory dump utilities like ProcDump to extract credentials offline, avoiding reliance on traditional malware. ProcDump, commonly used for crash dumps, is repurposed to capture process memory for credential harvesting, often embedded in their BabyShark malware.

Additionally, Kimsuky abuses a malicious Chrome extension to steal passwords and cookies directly from browsers. Through spearphishing emails, victims are tricked into installing the extension, which exfiltrates credentials and cookies while executing JavaScript from external servers. This combination of tools and tactics allows Kimsuky to efficiently harvest sensitive credentials from compromised systems.

Discovery - ATT&CK TA0007

System Information Discovery - MITRE T1082

Once inside a network, Kimsuky conducts information gathering about the system environment. This includes querying system configurations, installed software, and network settings to tailor their attack strategy.

The following is a .bat script (9583423.bat) directly used by Kimsuky APT in 2024.

Kimsuky leverages System Information Discovery to gather detailed information about the target environment after initial access. This includes extracting system configurations, running processes, and user-specific file details to refine their attack strategy. This .bat script highlights their approach, using commands like systeminfo, tasklist, and dir to collect system information and directory contents, storing results in text files. 

Collection - ATT&CK 0009

Input Capture: Keylogging - MITRE T1056.001

Kimsuky employs keylogging subtechnique by using a PowerShell-based keylogger named MECHANICAL, alongside network sniffing tools like Nirsoft SniffPass, to harvest credentials and monitor user input. Here's how these tools are utilized:

MECHANICAL Keylogger:

• Keystroke Logging: MECHANICAL monitors and logs keystrokes, capturing sensitive input such as usernames, passwords, and other critical data entered by the victim.

• Data Storage: The logged keystrokes are saved to files in the %userprofile%\appdata\roaming\ directory, specifically using obfuscated filenames like apach.{txt,log}, making detection more challenging.

• Cryptojacking Functionality: Beyond keylogging, MECHANICAL is also a cryptojacker, covertly leveraging the victim's system resources to mine cryptocurrency, adding an additional monetization layer to Kimsuky’s operations.

Nirsoft SniffPass:

• Network Credential Harvesting: This tool captures passwords transmitted over non-secure protocols by sniffing network traffic. It is particularly effective in environments where traffic lacks encryption, such as HTTP or basic SMTP/POP3 email protocols.

PHProxy for Web Traffic Monitoring:

• Credential Interception: Kimsuky uses modified versions of PHProxy to act as a web proxy, intercepting and analyzing traffic between the victim and accessed websites. This allows them to capture credentials and other sensitive input entered during web sessions.

• Stealth Operations: By using a web proxy, Kimsuky can operate discreetly, making it difficult for victims to detect the interception.

Command and Control - ATT&CK TA0011

Kimsuky employs a range of sophisticated Command and Control techniques to maintain persistent and covert access to compromised systems. Their approach primarily leverages modified legitimate tools and tailored configurations to evade detection and facilitate remote control. Below is an explanation of the key techniques used:

Modified TeamViewer for Remote Access: Remote Access Software - MITRE T1219

Kimsuky uses a modified version of the TeamViewer client (v5.0.9104) to establish remote access. During the initial infection, they create a service named “Remote Access Service”, configured to execute the file vcmon.exe on system startup. This ensures persistence using the Boot or Logon Autostart Execution (T1547.001) technique.

Impair Defenses: Disable or Modify System Firewall - MITRE T1562.004

When vcmon.exe runs, it disables the system firewall by modifying specific Registry values, effectively impairing the system’s defenses. This allows Kimsuky’s operations to proceed uninterrupted by local security measures.

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - MITRE T1547.001

Kimsuky modifies TeamViewer-related Registry settings, including the SecurityPasswordAES value, which stores a hashed password. By pre-configuring this value, the attackers ensure a pre-shared authentication mechanism is in place, enabling them to connect to the compromised system without triggering typical security alerts.

Application Layer Protocol: Web Protocols - MITRE T1071.001

Kimsuky uses URLs with consistent formats, such as express[.]php?op=1, which include an operational range from 1 to 3, possibly indicating different commands or operational modes. This structured approach simplifies communication while obfuscating malicious intent within seemingly legitimate traffic.

By leveraging these techniques, Kimsuky maintains stealthy and reliable C2 operations, enabling them to exfiltrate data and execute additional stages of their campaigns.

Exfiltration - ATT&CK TA0010

Here are the MITRE ATT&CK technique numbers associated with the Exfiltration methods used by Kimsuky:

Exfiltration Over Alternative Protocol - T1048

Sending stolen data through email or custom RC4-encrypted channels.

Archive Collected Data - T1560

Encrypting and archiving stolen data on the victim's machine before exfiltration.

Email Collection: Email Forwarding Rule - T1114.003

Setting up auto-forward rules in victim email accounts to exfiltrate data via email.

Encrypted Channel: Symmetric Cryptography - T1573.001

Using RC4 encryption with MD5 hashes or randomly generated buffers to secure data transmission.

Data Staged: Local Data Staging - T1074.001

Storing RSA-encrypted data files in specific system directories (e.g., C:\Program Files\Common Files\System\Ole DB\) for later exfiltration.

These techniques reflect Kimsuky’s focus on efficient and covert exfiltration methods, emphasizing secure transmission and minimal disruption to the victim's network.

The tactics and techniques employed by Kimsuky are validated against the MITRE ATT&CK framework, ensuring a comprehensive understanding of their operational methods. Each technique is grounded in the sources provided, offering a factual and detailed account of Kimsuky's cyber activities.

How Does Picus Help Against Kimsuky APT Threat Group?

We strongly suggest simulating APT groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.  

Picus Threat Library includes the following threats for Kimsuky APT group.

Mitigation and Defense Strategies

Kimsuky stands out as a persistent and sophisticated adversary. Known for its targeted attacks primarily against South Korean entities and other geopolitical targets, Kimsuky employs a range of TTPs that require robust defense mechanisms. 

This section outlines actionable strategies to mitigate the threats posed by Kimsuky, drawing insights from various research sources.

Strengthening Email Security

Given Kimsuky's reliance on spear-phishing, enhancing email security is a critical first step. Organizations should implement advanced email filtering solutions that can detect and block malicious attachments and links. Training employees to recognize phishing attempts is equally important. Regular phishing simulations can help reinforce this training and reduce the likelihood of successful attacks.

Network Segmentation and Monitoring

Network segmentation limits the lateral movement of attackers within an organization. By dividing the network into isolated segments, organizations can contain potential breaches and protect sensitive data. Continuous network monitoring is also essential. Tools that provide real-time alerts on suspicious activities can help detect and respond to intrusions quickly. Monitoring for unusual IP addresses and traffic patterns can be particularly effective against Kimsuky's operations.

Regular Software Updates and Patch Management

Keeping software up to date is a fundamental defense strategy against any cyber threat, including Kimsuky. Regularly applying patches to operating systems, applications, and security software can close vulnerabilities that Kimsuky might exploit. Automated patch management solutions can help ensure that updates are applied promptly across all systems.

Advanced Endpoint Protection

Deploying advanced endpoint protection solutions can help detect and block malicious activities on individual devices. These solutions often include capabilities such as behavioral analysis and machine learning to identify and respond to threats in real time. According to [3], such technologies are crucial in defending against Kimsuky's sophisticated multi-stage attack campaigns.

Conclusion

Kimsuky, also known as Black Banshee, remains one of the most persistent and sophisticated state-sponsored cyber threat groups. Its targeted espionage campaigns, driven by geopolitical motives, showcase a refined arsenal of tools, techniques, and procedures designed to infiltrate, persist, and exfiltrate sensitive data. From leveraging spear-phishing and credential harvesting to employing stealthy malware and obfuscation techniques, Kimsuky continues to adapt to evolving defenses.

Through real-world examples, such as the DEEP#GOSU campaign and attacks on U.S. defense contractors, Kimsuky demonstrates a strategic focus on intelligence gathering and disruption. Their use of MITRE ATT&CK-aligned tactics, including keylogging, system discovery, and process injection, highlights their technical sophistication and ability to evade detection.

The group’s operational methodologies underline the importance of robust cybersecurity measures, including proactive threat hunting, regular system updates, network segmentation, and enhanced email security. By understanding Kimsuky’s techniques and building defenses aligned with their tactics, organizations can better mitigate the risks posed by this advanced threat actor.

In an ever-evolving cyber landscape, continued vigilance and adaptability are critical to countering threats like Kimsuky and protecting critical assets and information.

Indicators of Compromise (IOCs)

SHA256 Hashes

• 081804B491C70BFA63ECDBE9FD4618D3570706AD8B71DBA13E234069648E5E48
• 0B5DB31E47B0DCCFDEC46E74C0E70C6A1684768DBACC9EACBB4FD2EF851994C7
• 15D53BB839E00405A34A8B690EC181F5555FC4F891B8248AE7FA72BAD28315A9
• 1617587CCDF5B0344089559ECF8FE7D39F6E07A6A64F74F2B44BFA2C8CB67983
• 1B75F70C226C9ADA8E79C3FDD987277B0199928800C51E5A1E55FF01246701DB
• 2360A69E5FD7217E977123C81D3DBB60BF4763A9DAE6949BC1900234F7762DF1
• 2546D239A262C24A6F8EA01D890CBC459A22DB79B379B6EC3B24FBB56EFB5381
• 3C8DBFCBB4FCCBAF924F9A650A04CB4715F4A58D51EF49CC75BFCEF0AC258A3E
• 3EA2EAD8F3CEC030906DCBFFE3EFD5C5D77D5D375D4A54CCA03BFE8A6CB59940
• 46A5D54C264152CE915792AF31C75824A558AF7D7340D78B34E146D8C6249E79
• 479038EB12ED07893EE0DCC04FBDCF182489BBB271F5A4F90F83874881A80CE3
• 492A643BD1EFDACA4CA125ADE1B606E7BBF00E995AC9115AC84D1C4C59CB66DD
• 5009C7D1590C1F8C05827122172583DDF924C53B55A46826ABF66DA46725505A
• 5C907B722C53A5BE256DC5F96B755BC9E0B032CC30973A52D984D4174BACE456
• 5E40D106977017B1ED235419B1E59FF090E1F43AC57DA1BB5D80D66AE53B1DF8
• 60666CACDD6806ED05771F32EAA719E3EFD2F4DB55F28A447D383C3EAC1DC72E
• 63FB47C3B4693409EBADF8A5179141AF5CF45A46D1E98E5F763CA0D7D64FB17C
• 689CFAA9319F3F7529A31472ECF6B2E0CA6891B736DE009E0B6C2EBAC958CC94
• 69C917EA96DB28DBD5B67073CA0AAC234D25651A849171B45F20979EAFA05A1C
• 6C121F2B2EFA6592C2C22B29218157EC9E63F385E7A1D7425857D603DDEF8C59
• 7667D1B8FCC4F712084E3E3F8B4AB505AB150C52AEA7B219249EC508B4B0E224
• 87C5D0C93B80ACF61D24E7AAF0FAAE231AB507CA45483AD3D441B5D1ACEBC43C
• 89CAD9A57985CC0AB3B7403A943AD0AA7B167DC7A3C38557417FEDEA67A77B87
• 8BFA4FE0534C0062393B6A2597C3491F7DF3BF2EABFE06544C53BDF1F38DB6D4
• 91EAF215BE336EAE983D069DE16630CC3580E222C427F785E0DA312D0692D0FD
• 927B3564C1CF884D2A05E1D7BD24362CE8563A1E9B85BE776190AB7F8AF192F6
• 973F7939EA03FD2C9663DAFC21BB968F56ED1B9A56B0284ACF73C3EE141C053C
• 99DBC6FE3C3E465052FCEFA1642861747DC9E069EEB244589B605BD710B1E0D1
• A03D13C9825E150810E6E6AAF053D71EC5A53B86581414DD982A74D4A8BC5475
• A64FA9F1C76457ECC58402142A8728CE34CCBA378C17318B3340083EEB7ACC67
• B72CAAB78D164637FEA0937D7A94FC470579EC6BB4FA87DADB6F0FA7826E217C
• BCE1EB513AAAC344B5B8F7A9BA9C9E36FC89926D327EE5CC095FB4A895A12F80
• BFD74B4A1B413FA785A49CA4A9C0594441A3E01983FC7F86125376FDBD4ACF6B
• C6A48365C3DB9761BD60981BDCDD87ACED23D8E60067CAA30FEE501BF4B47B84
• C7F4AA77BE7F7AFE9D0665D3E705DBF7794BC479BB9C44488C7BF4169F8D14FE
• C83C7B000A955F2B8CB92BB112ED606FFD9FBEBBE3422F80D90D06B167F2F37B
• C9A7B42C7B29CA948160F95F017E9E9AE781F3B981ECF6EDBAC943E52C63FFC8
• CBF4CFA2D3C3FB04FE349161E051A8CF9B6A29F8AF0C3D93DB953E5B5DC39C86
• D8565D58AD8E4F5558B5CD70DF0AD12BE9CF44E32AD07AAAC6F65B816EDBF414
• DB6A9934570FA98A93A979E7E0E218E0C9710E5A787B18C6948F2EEDD9338984
• E6BBC33815B9F20B0CF832D7401DD893FBC467C800728B5891336706DA0DBCEC
• F1713AFAF5958BDF3E975EBBAB8245A98A84E03F8CE52175EF1568DE208116E0
• F262588C48D2902992FFD275D2BE6362FE7F02E2F00A44AB8C75AC1A2827C6E9
• F3B0DA965A4050AB00FCE727BB31E0F889A9C05D68D777A8068CFC15A71D3703
• FEE4F9DABC094DF24D83EC1A8C4E4FF573E5D9973CAA676F58086C99561382D7

References

[1] “[No title].” Available: https://hivepro.com/wp-content/uploads/2024/03/The-Evolution-of-DEEPGOSU-Attack-Campaign-by-Kimsuky-Group_TA2024108.pdf. [Accessed: Dec. 26, 2024]

[2] “Website.” Available: https://www.securityweek.com/north-korea-hackers-linked-to-breach-of-german-missile-manufacturer/

[3] The Hacker News, “North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks,” The Hacker News, Dec. 03, 2024. Available: https://thehackernews.com/2024/12/north-korean-kimsuky-hackers-use.html. [Accessed: Dec. 23, 2024]