North Korea-linked risk teams are more and more utilizing living-off-the-land (LotL) methods and trusted providers to evade detection, with a current Kimsuky marketing campaign showcasing the usage of PowerShell scripts and storing knowledge in Dropbox folders, together with improved operational safety.
Within the marketing campaign, dubbed “DEEP#DRIVE” by safety agency Securonix, the risk group used faux work logs, insurance coverage paperwork, and crypto-related recordsdata to persuade customers to obtain and run a zipped shortcut file that gathers system configuration data after which executes PowerShell and .NET scripts. The assault instruments add the system knowledge to Dropbox folders after which obtain extra instructions and capabilities for additional compromise.
Whereas the attackers confirmed some curiosity in fast monetary wins — resembling focusing on cryptocurrency customers — for probably the most half, the risk group targeted on stealing delicate knowledge from South Korean authorities businesses and companies, says Tim Peck, a senior risk researcher at Securonix.
“We noticed proof of each espionage and monetary motivation, although leaning extra towards espionage,” he says. “This aligns with Kimsuky’s historic focusing on of South Korean authorities businesses, enterprises, and strategic industries.”
North Korean cyber-operations teams have constantly focused South Korea and the US, with South Korean authorities businesses and firms among the many hottest targets. In September 2024, the FBI warned that North Korean teams deliberate to launch a surge of assaults towards organizations with vital cryptocurrency reserves, and Kimsuky launched a related multistage assault towards South Korean targets final 12 months.
A Prolific Group
Kimsuky is not monolithic, however has 5 risk teams which have overlap with what different firms take into account to be the identical group, says risk intelligence agency Recorded Future. One group tends to deal with the healthcare and hospitality sectors, for instance, whereas one other focuses on cryptocurrency markets.
By mid-2023, Kimsuky grew to become probably the most prolific North Korean group. (Newer knowledge not obtainable.) Supply: Recorded Future’s “North Korea’s Cyber Technique” report
The Kimsuky teams accounted for probably the most assaults recognized as North Korean in origin between 2021 and 2023, in line with Recorded Future’s “North Korea Cyber Technique” report. In 2024, the teams continued to account for a excessive quantity of assaults, says Mitch Haszard, senior risk intelligence analyst with Recorded Future.
“These teams conduct excessive quantity phishing campaigns, primarily focusing on people and organizations in South Korea, whereas often focusing on entities in different international locations,” he says. “Within the exercise we see, these teams seem like going for quantity, somewhat than extra time-consuming, tailor-made spear-phishing operations.”
Different well-known North Korean teams, resembling Lazarus and Andariel, usually are not as prolific because the Kimsuky risk actors. Whereas a few of these teams are extra targeted on gathering delicate data, practically all even have a monetary motivation.
Hundreds of Victims?
In the DEEP#DRIVE marketing campaign, following the compromise of a system, the Kimsuky group’s assault scripts add knowledge on the system configuration to one among a number of Dropbox folders. Whereas the Securonix researchers weren’t capable of collect intelligence from all of the suspected Dropbox places, they uncovered indicators of greater than 8,000 configuration recordsdata, though some seem like duplicates, Peck says.
Whereas meaning they seemingly got here from the identical sufferer organizations, the marketing campaign seems to be fairly profitable, he says.
“There have been two components which contributed to the ‘uniqueness’ of the configuration file, the username, and IP deal with,” Peck says. “Some usernames have been related to dozens of comparable IP addresses, which might point out lateral motion by the attacker — [that is], infecting dozens of machines from the identical entity.”
The information from a compromised system contains the host IP deal with, the system uptime, particulars concerning the OS kind and model, any put in safety software program, and a listing of operating processes.
Kimsuky Improves Its OpSec
The marketing campaign additionally highlighted North Korean cyber-operations teams’ enhancements to operational safety. The group used OAuth-based authentication on its Dropbox folders, stopping conventional URL-blocking or network-based defenses from following the hyperlinks. The risk actors additionally shortly took down elements of their infrastructure quickly after the Securonix researchers started investigating, Securonix’s Peck says.
“This degree of operational consciousness is just not at all times current in phishing-driven malware campaigns,” he says.
For firms, the risk group’s techniques underscore that the hidden file extensions needs to be disabled, shortcut recordsdata needs to be blocked from executing in person folders, and solely signed PowerShell scripts be allowed to execute. These three countermeasures make the attackers’ exercise a lot simpler to detect, Peck says.
As well as, firms in focused industries — resembling cryptocurrency exchanges and authorities businesses — ought to bolster their e-mail safety and repeatedly practice workers on find out how to spot phishing threats, says Recorded Future’s Haszard.
“Most North Korean cyberattacks nonetheless begin with social engineering and a phish,” he says. “Firms ought to make sure that they’ve an e-mail safety answer in place and repeatedly practice workers on phishing threats, in addition to conduct simulated phishing exams.”