The researchers affirmed that all the new findings have arisen and developed the threat group’s spyware skills and abilities. New Kimsuky modules make the KGH malware more strong and stealthy; as various security teams have investigated this APT group.
This is a recently detected malware module soon after the US government published an advisory regarding a “global intelligence gathering mission” managed by North Korean state-sponsored hackers.
However, this malware is first detected by the Kaspersky researcher in 2013. But, now its activity was described and analyzed by ESTsecurity and also by the research team at Cybaze ZLab.
Kimsuky Infrastructure
Kimsuky has been active since 2013, but it was being updated recently with all new features. This malware is famous for its complex infrastructure that uses free-registered domains, negotiated domains, and private domains that have been registered by the group.
Kimsuky is deliberately using an array of malware in its every operation. However, the infrastructure of the malware that has been used by Kimsuky can be traced by utilizing some pattern outline of the URI structures practiced by their tools.
KGH Spyware Suite
Earlier, the Cybereason Nocturnus identified a new malware suite entitled “KGH” this malware includes several modules that worked as spyware. In research by Ahnlab, a possible link to North Korean attacks has been detected in 2017 that directly refers to the name “KGH.” However, it’s still unclear whether it is associated with the same malware authors or not.
Targets
The target that are included in this malware are mentioned below:-
- Pharmaceutical/Research companies working on COVID-19 vaccines and therapies
- UN Security Council
- South Korean Ministry of Unification
- Various Human Rights Groups
- South Korean Institute for Defense Analysis
- Various Education and Academic Organizations
- Various Think Tanks
- Government Research Institutes
- Journalists covering Korean Peninsula relations
- South Korean Military
KGH Spyware Payloads & Commands
The payloads that are observed to be downloaded and released are mentioned below:-
- Drops KGH backdoor and creates persistence to msic.exe and drops
- Loads and executes msfltr32.dll
- KGH backdoor capabilities
- KGH-Browser Stealer
The KGH backdoor and commands are mentioned below:-
- upf: It uploads the files to the C2
- tre: It creates a list of all files in the system applying the “tree” command
- wbi: It download “m.dll” browser stealer module and exfiltrates all stolen data
- cmd: It executes a cmd shell command
- pws: It executes a PowerShell command
Infostealer module steals Information Stored
The info stealer module steals the following stored information:-
- Browsers: Chrome, IE / Edge, Firefox, Opera
- WinSCP Client
- Windows Credential Manager
- Mozilla Thunderbird Mail Client
CSPY Downloader
The research team Nocturnus has discovered that winload.exe is a new type of a downloader, entitled “CSPY.” This downloader is included with robust evasion methods meant to assure that the “coast is clear” and the malware does not operate in any context of a virtual machine or investigating tools before it continues to download secondary payloads.
According to the researchers, the hackers have spent efforts to outlive under the radar. That’s why they have employed several anti-forensics and anti-analysis methods; so, the researchers are not clear about the victims, and this campaign continues to be unclear.
There are evidence that can imply that the infrastructure targeted the organizations that deal with human rights violations.
To read the original article: