North Korea-linked threat group Kimsuky has adopted a longer, eight-stage attack chain that abuses legitimate cloud services and employs evasive malware to conduct cyber espionage and financial crimes against South Korean entities.
NET applications - to create the foundation of the attacker's toolkit, researchers from Securonix wrote in a threat analysis today.
Kimsuky also used LNK files attached to emails, command scripts downloads from Dropbox, and code written in PowerShell and VBScript to conduct offensive operations.
While typical cyberattacks use five or fewer stages, the DEEP#GOSU campaign used eight.
Though some of the tools could be detected by antivirus scanners and other defensive technologies, the attackers actively aimed to foil detection, says Oleg Kolesnikov, vice president of threat research at Securonix.
The Kimsuky group - also known as APT43, Emerald Sleet, and Velvet Chollima - ramped up its activity in 2023, shifting to a greater focus on cryptocurrency in addition to its traditional focus on cyber espionage.
Kimsuky is well known for its skilled spear-phishing, and not necessarily for its technical sophistication, but the latest attack demonstrated that the group has evolved somewhat, according to the analysis penned by three researchers at Securonix.
Using Dropbox and Google to Evade Security Controls The first stage of the attack executes when the user opens a LNK file attached to an email, which downloads PowerShell code from Dropbox.
The code executed during the second stage downloads additional scripts from Dropbox and prompts the compromised system to install a remote access Trojan, the TutClient, at Stage 3.
The heavy use of Dropbox, and Google in later stages, helps avoid detection, Securonix's threat researchers stated in the analysis.
The later stages of the attack install a script that randomly executes in a matter of hours to help monitor and control systems and provide persistence.
The final stage monitors user activity through logging keystrokes on the compromised system.
Multistage Attacks Highlight Defense in Depth While detection rates for the initial stages of the attack ranged from 5% to 45% for host-based security, network security platforms may have a hard time detecting the later stages of the attacks because the Kimsuky threat actors use encrypted traffic, legitimate cloud file-transfer services, and downloaded.
The multipronged attack highlights the benefits of having multiple layers of defenses, Kolesnikov says.
Email security gateways, for example, would likely block the LNK file because of its massive 2.2MB size, compared with typical sizes measured in kilobytes, he says.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 19 Mar 2024 00:05:28 +0000