[VirusBulletin 2024] Go-ing Arsenal: A Closer Look at Kimsuky’s Go Strategic Advancement

Author: Jiho Kim | S2W TALON

#VB024 — https://www.first.org/conference/2024/

Executive Summary

The North Korean APT group Kimsuky(a.k.a Emerald Sleet, APT43, Springtail) has been active since at least 2013, initially targeting government ministries in South Korea, but has since conducted attacks against targets engaged in media, research, politics, and diplomacy around the world. The group primarily uses spear phishing attacks to distribute malware and attempt to take over accounts to harvest data. The group has primarily targeted Windows environments, but there have been instances of attacks on Android.

Talon, the threat research and intelligence center of S2W, has continuously tracked the activities of the Kimsuky group and discovered additional samples like the previously known AppleSeed. We named AlphaSeed, Troll Stealer and GoBear.

In February 2024, S2W disclosed Kimsuky group’s attack campaign that exhibited a different pattern from previous ones. This campaign employed novel techniques, such as disguising malware as installation files for South Korea’s electronic document security programs to steal from the GPKI folder, used by government administrative and public institutions in South Korea, and exploiting the SOCKS5 protocol. Notably, Kimsuky group has recently begun developing malware using the Go language, indicating a rapid evolution in their malicious software. This change suggests a shift in their strategic objectives or that another member with access to the AppleSeed and AlphaSeed source code has developed malware like Troll Stealer.

We have categorized Kimsuky group’s new malware based on their functionalities and types. In this report, we will examine the operational mechanisms of each malware type and share recent attack cases. During our analysis, we found that all the malware, except for BetaSeed, was written in Go. This aligns with the Kimsuky group’s recent trend of utilizing Go-based tools and malware. Accordingly, we will delve into the specifics of Kimsuky’s new Go strategy.

Key Takeaways

  1. (Understanding Kimsuky’s Subgroup, SeedpuNK) Explore the classification of Kimsuky into three subgroups based on their primary malware. Among them, understand the SeedpuNK, which is represented by the AppleSeed, and their attack techniques.
  2. (Insights into New Go-Based Malware) Review the behavior of three newly discovered Go-based malware and analyze their connections to the existing SeedpuNK’s malware.
  3. (Understanding SeedpuNK’s Recent Go Strategy) Discuss SeedpuNK’s shift toward using the Go in their recent strategies, highlighting its benefits in terms of stability, usability, and scalability.

For more details, please refer to the presentation at VB2024.

[VirusBulletin 2024] Go-ing Arsenal: A Closer Look at Kimsuky’s Go Strategic Advancement was originally published in S2W BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: [VirusBulletin 2024] Go-ing Arsenal: A Closer Look at Kimsuky’s Go Strategic Advancement | by S2W | S2W BLOG | Oct, 2024 | Medium