- Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021.
- Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat (APT) group active since 2012.
- This campaign utilizes malicious blogs hosted on Blogspot to deliver three types of preliminary malicious content: beacons, file exfiltrators and implant deployment scripts.
- The implant deployment scripts, in turn, can infect the endpoint with additional implants such as system information-stealers, keyloggers and credential stealers.
- These implants are derivatives of the Gold Dragon/Brave Prince family of malware operated by Kimsuky since at least 2017 — now forked into three separate modules.
- This campaign targets South Korea-based think tanks whose research focuses on political, diplomatic and military topics pertaining to North Korea, China, Russia and the U.S.
Cisco Talos recently discovered a campaign operated by the North Korean Kimsuky APT group delivering malware to high-value South Korean targets — namely geopolitical and aerospace research agencies. This campaign has been active since at least June 2021 deploying a constantly evolving set of implants derived from the Gold Dragon/Brave Prince family of implants.
The attackers used Blogspot in this campaign to host their malicious artifacts. Talos coordinated with Google to alert them of these blog posts. Google removed these posts and related IOCs prior to publication of this blog post. We also shared this information with appropriate national security partners as well as our industry partners, including the Cyber Threat Alliance (CTA).
How did it work?
Talos has found a new set of malicious blogs operated by Kimsuky delivering three previously unknown preliminary components: an initial beacon script, a file exfiltrator and an implant instrumentor. One of these components, the implant instrumentor, delivered an additional three types of malware:
- An information gathering module.
- A keylogger module.
- A file injector module that injects a specified payload into a benign process.
The injected payload is a trojanized version of the Nirsoft WebBrowserPassview tool meant to extract login credentials for various websites.
Our research builds on earlier findings from security firm AhnLAB. As noted in their June 2021 report, this campaign begins with malicious Microsoft Office documents (maldocs) containing macros being delivered to victims. The infection chain results in the malware reaching out to malicious blogs set up by the attackers. These blogs provide the attackers the ability to update the malicious content posted in the blog depending on whether a victim is of value to the attackers.
Kimsuky employs a wide variety of malware such as Gold Dragon, Babyshark, Appleseed, etc. Kimsuky primarily targets entities in South Korea ranging from defense, to education and think tanks.
This campaign is a typical example of an advanced adversary utilizing a public web content publishing service to serve malicious implants to their targets. The use of Blogspot might be intended to thwart attribution or periodically update the content to serve new implants to victims of interest.
The implants deployed by Kimsuky in this campaign consist of file exfiltrators, information gathers and credential stealers — all geared toward reconnaissance, espionage and credential harvesting. The module meant for exfiltrating files from the endpoint uses a distinct filepath list specified by the threat actors.
Organizations must remain vigilant against motivated adversaries that conduct targeted attacks.
Attribution and targeting
Attribution to Kimsuky
We assess with high confidence that this campaign is operated by Kimsuky, based on the code similarities, TTPs and infrastructure overlap with previous Kimsuky implants and campaigns.
The implants used in this campaign share code with the Gold Dragon and Brave Prince family of implants. For example, from early 2021 through August, the attackers utilized mailbox-based exfiltration components that are derived from the Brave Prince malware family that’s been attributed to Kimsuky in the past.
Other maldocs used in parallel to Kimsuky campaigns contain similar macros to the ones abusing malicious Blogspot posts. One specific malicious VBA function commonly seen between both sets of maldocs would collect preliminary information and construct a query-based URL to convey the sysinfo to the attackers.
Left: Known Kimsuky maldocs vs. Right: Maldocs abusing Blogspot.
Identical functions have been seen in Kimsuky maldocs throughout this year.
In one such maldoc, apart from shared macro code, this maldoc also shared identical metadata as the maldocs abusing Blogspot with identical creation times and unique author names.
The malicious URL used by this maldoc hxxp://eucie09111[.]myartsonline[.]com/0502/v.php is a known Kimsuky IOC in use since late 2020.
Macros seen in similar maldocs (left) using the same infrastructure as previous Kimsuky maldocs from 2020 (right).
Kimsuky is a highly motivated APT that has traditionally targeted entities in South Korea. The APT group has used a variety of malware such as Gold Dragon, Babyshark and Appleseed to target entities ranging from defense to education and think tanks. The current campaign aims to further these goals by targeting high-value targets belonging to geopolitical research institutions and think tanks. We’ve also observed targeting of aerospace research agencies by Kimsuky in this campaign using modular reconnaissance and exfiltration implants.
Usually, file exfiltrator components used in crimeware and APT operations perform a wide sweep of the infected endpoint to gain insight into the kind of data and research artifacts the system holds. Some file enumerators will exfiltrate all files with specific extensions. In other cases, the attackers will obtain a comprehensive file listing of specific directories and then exfiltrate hand-picked data from the victims.
In this campaign, the attackers used a file exfiltrator component with an interesting implementation. Instead of performing a wide sweep of the system (seen very rarely in this campaign), the attackers focussed on finding and exfiltrating specific files of interest to the attackers — specified by the attackers via filelists hosted on a remote server. What’s interesting here, however, is that the attackers knew exactly which files they were looking for. This indicates that the attackers have a deep understanding of their targets’ endpoints, likely obtained from previous compromises.
The identified entities targeted in this campaign include research institutions and universities conducting research on political, military, and diplomatic topics pertaining to North Korea, China, the U.S., and Russia. The research topics of interest to the attackers in this campaign appear to be:
- North Korea.
- North Korean denuclearization.
- US-China relations.
- Increased China-Russia collaboration.
An example of one of the files the attackers were looking for is:
<directory_path>\탈북자 면담.hwp which roughly translates to “North Korean defector interview.hwp”
<directory_path>\[redacted]_비핵화.hwp is also a document related to North Korean denuclearization.
There is an unusually high degree of focus on finding documents associated with North Korea in this campaign. Topics such as Korean unification, North Korean defectors, the recent increasing collaboration between China and Russia, and denuclearization align with the continued efforts by the DPRK to maintain a political advantage in East Asia.
Our research also showed that the attackers had a special interest in research into aerospace and aeronautical technologies conducted by South Korean entities. These entities mostly consist of labs and research institutes associated with the South Korean government and aerospace industry. In this campaign, the attackers appear to be looking for restricted research papers, theses and project design documents to exfiltrate. Specific topics of interest to the attackers in this domain include:
- Rocket design.
- Material science.
- Aviation fuel research.
- Fluid mechanics.
This focus on aerospace and aeronautical research by Kimsuky aligns with the DPRK’s continued efforts towards increasing their traditional and nuclear arsenal. Although active since 1984, the rapid increase in missile testing by North Korea since 2019 has been accompanied by an acceleration in their espionage efforts to gather classified research on such technologies.
Targeting information for this campaign.
The maldocs used in this campaign typically contain a malicious VBA macro that downloads and activates the next stage of the infection chain. Although the VBA macro contains an auto open subroutine, it uses several VBA functions registered to trigger if the “Typing replaces selection” property is enabled in Microsoft Word. The VBA functions trigger when the victim types any content into the maldoc. Therefore, to trick victims into typing content in the maldoc, the attackers disguise the maldocs as forms.
Malicious macro functions triggered when the target enters text in the maldoc form.
The pivotal function of the malicious VBA code simply base64 decodes and drops a malicious VBScript to a file specified in the macro.
The next stage of the VBS is run using wscript.exe using a command such as:
%windir%\System32\wscript.exe //e:vbscript //b <path_to_Stage_2>
Macros dropping VBS to disk and running via wscript.exe.
Stage 2 VBS
The Stage 2 VBS is meant to replace itself with another base64-decoded VBScript (Stage 3). The Stage 2 VBS is also responsible for setting up persistence for Stage 3 by creating a shortcut for it in the current user’s Startup directory, which will be important to remember later.
Stage 2 setting up Stage 3 VBS on the endpoint.
Stage 3 VBS
The Stage 3 VBS is the one responsible for downloading malicious content from a Blogspot blog setup by the attackers. This blog contains a base64-encoded VBScript that is decoded and executed by Stage 3.
The blog is parsed for specific tags to identify its body and this content is then decoded and run on the endpoint:
Stage 3 downloading and parsing the blogpost’s body for the next VBScript to be run on the endpoint.
Malicious Blogspot content — Post-compromise activities
Talos has discovered three different types content hosted on multiple malicious blog posts since June 2021:
- Initial beacon scripts.
- File exfiltration modules.
- Implant instrumentor modules.
I’m alive! — Initial Beacon
Typically, the post body contains VBS code to send a beacon to an attacker-controlled remote location indicating successful compromise of the victim.
Malicious blogpost from July 2021.
Decoded content of the post from July 2021.
The Stage 3 VBS scripts are configured to run at Startup (via the LNK in Startup directory installed by Stage 2 scripts) when the victim restarts or logs into their system. This means that every time the victim logs back into the infected endpoint, the Stage 3 VBScript will query the malicious Blogspot location for content to execute on the victim’s system. This gives the attackers ample time to modify the content of the blog post with new malicious content that can be executed on the endpoint.
File exfiltration module
Typical file exfiltration modules deployed by threat actors usually consist of the ability to enumerate and exfiltrate files. These implants enumerate files in specific drives or directories and exfiltrate the file lists first. Once the attackers identify the files of interest, the module is instrumented for exfiltration of the files.
The VBScript-based file recon module used by the attackers is somewhat different. It downloads a file listing from a remote location that contains the file paths of specific files of interest to the attackers. The file listing is so precise that the attackers know the exact file paths of the files they’re looking for on an infected endpoint. This indicates that the attackers have a deep knowledge of their targets’ systems likely from previous compromises of the targets.
If any of the files listed are found by the implant, it will copy them over to another directory such as %temp%. The directory will be zipped up into a ZIP file and exfiltrated to a remote location specified by the file exfiltration module. The uploaded files are identified by a victim ID in the HTTP POST request while uploading the ZIP file to the attacker-specified URL.
File recon and exfiltration module.
Mark as exfiltrated: The attackers also perform a preliminary check to verify if the victim has already been compromised and files exfiltrated. This prevents re-infection of the target.
A marker file is created in an attacker-specified folder and is checked before the exfiltration module begins its malicious activities. If found, the module will simply exit. If the marker file is not found, the module will proceed with its recon and exfiltration activities.
In August 2021, we saw a minor variation of the same script being deployed in the wild. This variation consisted of the ability to send the initial beacon (described previously) to the attackers and the file exfiltration.
Another modification in this variant was the use of a victim specific query field in the beacon’s HTTP GET request. The URL constructed had the following format:
Interestingly, the victim_id is not generated by the VB script. Instead, it’s hardcoded into the scripts showing that the attackers already know the identities of the targets that they are trying to infect. This indicates that this is a highly targeted attack.
In October 2021, we observed another update in the file exfiltration scripts. This time, the attackers decided to perform a wide scan of a specific drive on the system against a target.
The scan is done using a batch file created on the fly containing the command format:
dir <drive_letter> /s >> <filename>
Wide range scanning of a drive.
Talos also observed the usage of a third VBS based module being deployed via Blogspot. This time, an instrumentor script for deploying additional implants on a victim’s system. Interestingly, this script also includes the exact same capabilities of the file exfiltration module illustrated earlier along with other functionality. It is therefore likely that the attackers have stitched together and deployed various components in their attack chains. This is a characteristic typical of Kimsuky and other related groups, such as Lazarus.
Gather preliminary information
The instrumentor script begins by collecting the following information about the infected endpoint:
- Gather the names of all services running on the system.
- Gather a list of the names of all processes running on the endpoint.
- Gather the list of all files names listed in the Recent Items folder i.e. “%Appdata%\Microsoft\Windows\Recent”.
- Gather all names of files listed in the Desktop folder of the current user.
- Gather names of all files and programs listed in the Taskbar i.e. “%AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar”.
- Get the bitness of the Operating System : “x86” or “x64”.
- Get Username, OS name and version,.NET Framework version.
- Get Microsoft Version Number from the registry, specifically from reg key/value: HKEY_CLASSES_ROOT\Excel.Application\CurVer|Default.
- The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at: HKCU\Software\Microsoft\Office\<OfficeVersionNumber>.0\Word\Security\VBAWarnings = 0x1
This system information is then recorded to a file on disk in the format:
Sysinfo recorded file format.
The instrumentor is responsible for zipping and exfiltrating this preliminary information gathered from the endpoint. The instrumentor also sends all logs used by various implants for recording information from the victim’s system to the attacker’s server. The instrumentor script is solely responsible for the exchange of information and any outbound traffic from the endpoint, not the individual implants.
Deploying the implants
Once the preliminary system information has been gathered by the instrumentor, it will usually download and deploy three key implants on the endpoint. All these implants are DLL files meant to serve very specific purposes.
A marker file “qwer.txt” is created by the instrumentor script prior to downloading and deploying any of the implants. This file acts as an infection marker for the implants that check for the presence of this file before performing any malicious activities. The instrumentor script downloads the DLL implants and then creates a temporary PowerShell script to deploy the DLL on the infected system.
The DLL implants downloaded to a file on disk usually have their first byte modified. This is used as an evasion mechanism to prevent recognition of the executable file format. Once the DLL is downloaded, the PowerShell script resets its first byte to 0x4D. The DLL is then deployed on the endpoint using rundll32.exe.
PowerShell script modifying and running the DLL implant using rundll32.exe.
The instrumentor script also performs a cleanup of the cookies for Google Chrome and Microsoft Edge browsers. This activity is performed after the implants are in place to force users to reauthenticate. This is done by simply terminating any browser processes running on the system and then deleting the cookie files on disk. The commands used are:
taskkill /f /im chrome.exe
cmd.exe /c del /f ""%localappdata%\Google\Chrome\User Data\Default\Cookies""
taskkill /f /im msedge.exe
cmd.exe /c del /f ""%localappdata%\microsoft\edge\User Data\Default\Cookies""
The infection chain is illustrated as follows:
The implants deployed by the attackers are:
- Information-gathering DLL.
- File injector.
These implants check if a specific file “%AppData%\qwer.txt” exists on the endpoint. If the file does not exist, then execution quits. If the file does exist, the modules carry out their respective malicious activities.
To start, the implant looks for the AHNLAB V3 Antivirus software’s class name “49B46336-BA4D-4905-9824-D282F05F6576”. If the software is found, the implant will hide the AV software window from the view of the infected user.
Additional information gathering
In addition to the preliminary information gathered by the instrumentor script, this implant gathers additional information:
- Gather all network configuration information and record to a file on disk in a folder created by the implant using the command:
cmd.exe /c ipconfig/all >>"%s" & arp -a >>"%s"
where %s = <file_path>
Implant gathering network information from the victim.
- Gather all system information using the “systeminfo” command and record to a file:
cmd.exe /c systeminfo >>"%s"
where %s = <file_path>
- Gather process information for all running processes on the system using:
cmd.exe /c tasklist >>\"%s\"
where %s = <file_path>
- Record into a file the file information of all files residing in specific locations in each drive on the disk:
- “Documents and Settings” folder
- “users” folder.
- “Program Files” folder.
- The file information recorded is:
- File name.
- File creation time is format : YYYY/MM/DD HH:MM [AM|PM]
- Current file size.
Implant enumerating drives and gathering file information from specific folders.
The VBS-based instrumentor script is responsible for zipping up the folder that gathers this data from the victims and sending it to an attacker-controlled URL.
File injector DLL and encrypted payloads
To deploy the file injector, the instrumentor downloads additional payloads to be injected into a benign process. The injector is responsible for spawning a benign process on the system (such as “svchost.exe” or “iexplore.exe”) and injecting the malicious payload into it via process hollowing.
Apart from stealing research, another overarching theme of the campaign is to gather credentials using trojanized tools against entities of interest. The payload observed in this campaign was a trojanized version of the Nirsoft WebBrowserPassView tool (specifically v2.11). The attackers modified the password viewer application to dump the passwords obtained into a specific file on disk.
Malicious function used to record credentials to a file on disk.
The legitimate tool extracts all credential data from the system and sends it to the GUI to be displayed to the user. The trojanized version used in this campaign sends the data to a log file instead.
Left - Legitimate function for sending data to the GUI vs Right - trojanized function that sends data to a log file instead.
The instrumentor script (VBS from earlier) is configured to zip up the contents of the password dump directory and exfiltrate it to the C2.
The Keylogger is responsible for recording specific keystrokes from the victim into a log file located at: %Appdata%\Microsoft\pubs\desktop.ini.
It begins recording keystrokes as soon as it is deployed on the infected endpoint via rundll32.exe.
Keystrokes recorded by the implant using the GetAsyncKeyState API.
The key log is not exfiltrated by the keylogger Dll. Instead, the instrumentor VB script is the one responsible for zipping up the key log and sending it over to the C2 specified in the VB script.
Instrumentor VB script zipping and exfiltrating the key log directory to the C2.
The instrumentation of the three key implants is as follows:
Instrumentor’s orchestration of implants.
Evolution of implants
The final payloads deployed by the instrumentor script consist of implants derived from the Gold Dragon/Brave Prince family of implants. These two families share multiple code similarities and have been developed and operated by Kimsuky at least since 2017. The key difference between the two malware is that while Gold Dragon uses HTTP requests to exfiltrate data, Brave Prince uses attacker owned mailboxes to perform exfiltration.
In this section we illustrate the evolution of these malware families over the past year into the three derivative implants deployed by Kimsuky in this specific campaign.
The version of the injector implant from 2020 consists of the payload which is to be injected into a benign process such as svchost.exe or iexplore.exe, that is embedded in the injector module. The payload is decoded (xorred) and then decompressed and finally injected into the benign process. This payload is yet another downloader for running additional implants on the infected endpoint. Based on historical analysis it is likely that this infection chain deploys a credential stealer and mailbox based exfiltration component, in a manner similar to Brave Prince.
In January 2021, we observed the deployment of a module that consists of both the information gathering and injector modules combined into a single DLL. This DLL carries out certain additional functionality that was removed from subsequent versions:
- Copy files from the “Recent Items” folder with extensions: lnk, doc, docx, pdf, hwp.
- Download additional payloads from a remote URL and deploy these on the endpoint via rundll32.
This module also decompresses the keylogger module from its resources and injects it into a benign process. The keylogger module in this case has an additional capability to decompress yet another module, the file exfiltrator, and inject this into another benign process. Consistent with Brave Prince, the file exfiltrator is responsible for sending the information gathered and keylogs from the system to attacker controlled mailboxes.
We observed continued use of such modules throughout 2021 into August.
The file injector module deploying a keylogger seen throughout most of 2021.
In early September 2021, we observed the removal of a lot of functionality from the implants. This time the injectors deployed against targets consisted of the trojanized copies of the Nirsoft WebBrowserPassView tool. This iteration also includes the information gathering functionality as well as the file injector.
Combined info gathering and file injector module from early September 2021.
This amalgamation of the information gathering and file injection modules continued into mid-September. However, this iteration of the implant saw another change. This time, the implant didn’t have the injectable payload embedded as a resource in the injector module. This version of the implant reaches out to two remote URLs to download, decode/decompress and deploy the payload on the infected system. One of these payloads consists of a trojanized version of the Nirsoft WebBrowserPassView tool. The other payload is unknown, however, it is likely that the attackers are using another hacktool to steal browser cookie information from the victims.
Remote locations for downloading the payload in the implant from mid-September 2021.
Four days later, the attackers changed their implementation again. This time, the injector module only consisted of the ability to read an existing compressed payload from a file on disk and inject it into a benign process. The information gathering capabilities were separated out into an independent module, the information gathering module described above. The separate information gathering module (described previously) was in fact created one day before this new iteration of the injector module was created.
Timeline of evolution:
Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea. This group has been relentlessly creating new infection chains to deliver different types of malware to their victims. This campaign relies on the abuse of Blogspot to host attacker-operated blogs serving malicious VB based scripts to their targets. We’ve found preliminary malicious components from initial access beacons to file exfiltrators being deployed to victims. In many cases, the content of these preliminary components was combined to serve special scripts to victims.
The final implants utilized by the actors in this campaign are derivatives of the Gold Dragon/Brave Prince malware families. Since late 2020, the actors have introduced multiple capabilities (and removed some) in the implants eventually modularizing them into three distinct malware.
Apart from stealing research using bespoke file exfiltrators, another goal of the campaign is to gather credentials using trojanized tools such as Nirsoft’s WebBrowserPassView and use implants to establish continued unauthorized access into entities of interest. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage and even destructive attacks against target organizations.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The Snort SIDs for this threat are: 58496-58497.
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click below:
The malicious blogs hosted on Blogspot have been taken down already at the time of publication of this research.
Stage 2 script
Stage 3 script
Information Gathering Module
Trojanized Nirsoft tool
Implant download locations
Malicious Threat Actor profiles