The ‘GoldDragon’ Cluster
Last month, cybersecurity firm Volexity tied state-sponsored threat actor Kimsuky to an intelligence gathering operation where Gmail and AOL email content was siphoned via a malicious Chrome browser extension called “Sharpext.” According to security researchers at Kaspersky, a new GoldDragon campaign uses a list of targets to deploy malware that records user keystrokes, stored user login credentials, and more. Based on victim server-side email address traces, Kaspersky’s team has confirmed that Kimsuky is behind the campaign. The new campaign includes email spear-phishing messages that contain malicious Microsoft Word documents featuring content related to geopolitical tension in the Korean region that will be of interest to targets. The malicious emails often masquerade as legitimate honorarium requests, supplemented with resumes of high-profile individuals. In one example, an email included content about the 2022 “Asian Leadership Conference” to lure select targets to download attachments. If a victim is not of interest to the attacker, the email address is not logged once a victim clicks it. Instead, clicking the link opens a harmless document. For those of interest, information about a victim’s IP address, web browser data, and system hardware is forwarded to cybercriminal servers located on commercial hosting services around the world in what researchers dubbed a highly selective “victim verification methodology.” Following this, the victim’s machine is compromised. Researchers showed a list of victims in the analysis including a South Korean university professor, the Director General of a South Korean government organization, several think-tank researchers, and possibly a former Korean Ambassador to the United Nations.
‘Occasional’ Decoy Tactics, Visual Basic Script Pattern
Researchers came across several alternate pathways to the attacks. For instance, the actor hid malware in attached HTML Application (.hta) and help (.chm) files. On occasion, the “Hangeul” decoy document was sent out to victims’ email addresses. The actor’s signature style, however, is to insert a Visual Basic Script (.vbs) in a phishing email via a remote C2 (command-and-control) server to mark and infect victim machines. Following that, additional malware payloads could be injected, including an executable (.exe) that exfiltrates any chosen information.
Kimsuky, Operational Since 2012
Kimsuky — also known as Thallium, Black Banshee, and Velvet Chollima — is classified as a major league Advanced Persistent Threat (APT) that has been operational since 2012. This APT is “one of the most prolific and active threat actors on the Korean Peninsula,” operating in several clusters including GoldDragon, researchers said. The actor is also known for high-profile hits on industry and energy. In June 2021, the actor breached the internal network of the South Korean Atomic Energy Institute (KAERI). Kimsuky utilizes sophisticated tactics such as spear-phishing and watering hole attacks on targets, constantly tuning and updating its cyberattack arsenal. Historically, the actor has preferred diplomats, journalists, politicians, professors, and North Korean defectors as its primary targets. Tracking Kimsuky is a difficult task because researchers need a full attack chain to produce a result. “The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis,” Kaspersky’s Seongsu Park said.
