• Cisco Talos has observed a new malware campaign operated by the Kimsuky APT group since June 2021.
  • Kimsuky, also known as Thallium and Black Banshee, is a North Korean state-sponsored advanced persistent threat (APT) group active since 2012.
  • This campaign utilizes malicious blogs hosted on Blogspot to deliver three types of preliminary malicious content: beacons, file exfiltrators and implant deployment scripts.
  • The implant deployment scripts, in turn, can infect the endpoint with additional implants such as system information-stealers, keyloggers and credential stealers.
  • These implants are derivatives of the Gold Dragon/Brave Prince family of malware operated by Kimsuky since at least 2017 — now forked into three separate modules.
  • This campaign targets South Korea-based think tanks whose research focuses on political, diplomatic and military topics pertaining to North Korea, China, Russia and the U.S.

What's new?
Cisco Talos recently discovered a campaign operated by the North Korean Kimsuky APT group delivering malware to high-value South Korean targets — namely geopolitical and aerospace research agencies. This campaign has been active since at least June 2021 deploying a constantly evolving set of implants derived from the Gold Dragon/Brave Prince family of implants.

The attackers used Blogspot in this campaign to host their malicious artifacts. Talos coordinated with Google to alert them of these blog posts. Google removed these posts and related IOCs prior to publication of this blog post. We also shared this information with appropriate national security partners as well as our our industry partners, including the Cyber Threat Alliance (CTA).

hxxp://eucie09111[.]myartsonline[.]com/0502/v.php
%Appdata%\desktop.ini
svchost.exe
811b42bb169f02d1b0b3527e2ca6c00630bebd676b235cd4e391e9e595f9dfa8