Kimsuky threat group, deemed to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy corporation in 2014, and have expanded their attacks to other countries since 2017 [1]. The group has mainly been attacking the national defense, defense industry, media, government organizations, and academic areas to steal internal data and technologies from them [2] (This report supports Korean only for now.)
The Kimsuky group utilizes various malware strains depending on the attack. Their most notable case is the installation of AppleSeed and AlphaSeed malware strains. These attacks have continued for several years, and AhnLab introduced the group’s attacks in detail in past articles: “Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)” [3], and the recent article “Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed” [4].
This article discusses the case in which the Kimsuky group’s spear phishing attack was detected using AhnLab EDR. Administrators can utilize AhnLab’s EDR to become aware of the threat in advance to identify the cause and respond with appropriate measures.
1. Spear Phishing Attacks
The threat actor typically starts their attack by sending a spear phishing email with a malware as an attachment. Targets are not limited to organizations in fields such as foreign affairs, defense, academic institutions, and companies, but also include individual users. The compressed file attached to the spear phishing email contains VBS or JavaScript malware typically disguised as a legitimate document file. Once a user decompresses the file and runs the malware, AppleSeed is installed. The malware steals the user’s data that exists inside the infected system and performs commands received from the C&C server.
Because the VBS and JavaScript malware install AppleSeed and create legitimate document files in disguise and runs them simultaneously, users can be tricked into thinking that the document file was run normally. The disguised document’s file type varies depending on the attacks. For foreign affairs and defense, the threat actor uses government document files. For companies, various different types of files are used such as request forms, purchase orders, security maintenance checklists, delivery performance reports, and transaction records. For individuals, personal data such as resident registration forms and online shopping purchase orders were used in the spear phishing attacks. As seen in these examples, the Kimsuky group utilizes and applies a wide variety of topics and themes in their attacks.
In the recently discovered spear phishing attack, the threat actor used a JavaScript malware named “***.jse” including the name of the alleged victim. When the file is launched, it creates and shows an online shopping purchase order as shown on the image below.
Figure 1. The online shopping purchase order used in the spear phishing attack
Simultaneously, the malware creates another encrypted malware strain and uses the certutil utility tool to decrypt it. Afterward, it uses PowerShell to run the final malware. Because the file is in the DLL format, the regsvr32 utility is used to launch the malware. The following figure shows the process tree when the JavaScript malware is run. It shows the online shopping purchase order that is created and used with the web browser to run and install the malware strains in order. Unlike other cases, the JavaScript malware installed both AppleSeed and AlphaSeed simultaneously. As such, the decryption process using certutil and malware execution occur twice in a similar way.
Figure 2. The process tree when JavaScript malware is executed
2. Detection Using AhnLab EDR
The JavaScript malware created the encrypted files used during the installation of AppleSeed and AlphaSeed in the ProgramData path and decrypted them using the certutil tool. AhnLab EDR detects such suspicious behavior as threats and helps administrators detect the malware’s installation in advance.
Figure 3. Detection of malware decryption process using the certutil – EDR
Figure 4. Detection of executable file creation using the certutil – EDR
AppleSeed is a backdoor malware that can perform the threat actor’s commands sent from the C&C server. The threat actor can use AppleSeed to control the infected system. The malware also includes features such as a downloader that installs additional malware strains, a keylogging, screenshot features, and the ability to steal information by collecting and sending files from the user’s system.
AppleSeed is installed in the DLL form using the Regsvr32 process, and AppleSeed—which ultimately runs in the RegSvr32 process—uses commands such as net, systeminfo, and ipconfig to collect basic information about the system. Afterward, it connects with the C&C server to steal the collected data and receive commands. HTTP protocols are typically used to communicate with the C&C server, but SMTP protocols (emails) were also used in the past.
Figure 5. AppleSeed’s process tree
For many years, AppleSeed was installed without significant changes in its methods as shown above. Recently, the threat actor has been using malware with a dropper or has added a parameter check feature using the “/i” option for anti-sandbox. However, the process of creating and decrypting encrypted malware in the ProgramData path has remained the same. The following is a case where AhnLab EDR detected the RegSvr32 process used to run an abnormal extension while installing AppleSeed.
Figure 6. Detection of AppleSeed’s suspicious activity – EDR
AlphaSeed is a malware developed in Go, and it shares features such as command execution and information theft like AppleSeed. The differences are that AlphaSeed is developed in Go, and that it uses ChromeDP for C&C communication. Unlike AppleSeed, instead of sending an email directly, AlphaSeed uses a tool called ChromeDP. AlphaSeed also uses a different way to login by using cookie values instead of directly using an ID and a password to log into certain accounts.
Because it uses ChromeDP to communicate with the C&C server, a chrome web browser is created as a child process like the process tree shown in the image below.
Figure 7. AlphaSeed’s process tree
AlphaSeed, like AppleSeed, can perform various malicious activities such as taking screenshots, keylogging, and executing commands. Furthermore, it registers the command that executes itself into the Run key so that it can be activated following reboot.
Figure 8. Detection of AlphaSeed’s behavior to maintain persistence – EDR
3. Conclusion
The Kimsuky group installs AppleSeed and AlphaSeed via spear phishing attacks, stealing user information by taking screenshots and keylogging, and using the malware to take control over the infected system. The threat actor also uses AppleSeed to install additional software such as Infostealer that steals the web browser account information, VNC (HVNC, TightVNC), RDP Wrapper, or Chrome Remote Desktop to control their target’s screen.
AhnLab EDR detects malware utilized by the Kimsuky group as a threat and a key behavior, helping administrators ne aware of such activities in advance. Through this, administrators can identify the causes and respond with appropriate measures in an attack. Data can also be checked after the spear phishing attack from the targeted system that is used as evidence in the data breach investigation.
Users must carefully check the senders of emails and refrain from opening files from unknown sources. Users should also apply the latest patch for OS and programs such as Internet browsers and update security products to the latest version to prevent malware infection.
Behavior Detection
– Execution/EDR.Certutil.M11121
– SystemManipulation/DETECT.T1140.M3178
– Execution/EDR.Regsvr32.M11168
– Suspicious/DETECT.T1060.M2939
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Kimsuky Group’s Spear Phishing Detected by AhnLab EDR (AppleSeed, AlphaSeed) appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/61631/