Kimsuky’s New Malware Attack Strategy: Cyber Threat Intelligence Roundup

In this week’s report, we cover the latest campaign from state-backed North Korean threat actor Kimsuky, that ensures its payload is only downloaded by intended victims. The targeted nature of this activity is a shift in tactics for this opportunistic threat actor, which also goes to great lengths to hinder the reverse engineering of its campaigns.

Next up is a summary of a China-backed cyberespionage campaign aimed at delivering the ScanBox exploitation framework. The TA423-operated campaign has primarily targeted Australian government agencies and news media companies.

Finally, we take a first look at the dangerous new Agenda ransomware — a strain written in the Go programming language and has been observed delivering customized variants, custom-tailored for each intended victim.

1. How Kimsuky hackers ensure their malware attacks only reach valid targets

North Korea’s Kimsuky threat actor is now taking steps to ensure its malicious payloads are only downloaded by valid targets, rather than winding up on the systems of security researchers.

Kimsuky is a North Korean-based cyberespionage group that has been active since at least 2012. The group has historically focused on targeting South Korean government entities and think tanks and has since expanded its operations to include attacks on organizations located in the U.S., Russia, Europe, and U.N. member states.

To date, Kimsuky has primarily focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.

• In Kimsuky’s new campaign, which Kaspersky has dubbed GoldDragon, the infection chain begins with a spear-phishing email containing a macro-embedded Word document.
• Part of the campaign’s attack chain is a verification step, the results of which determine whether or not the user receives a malicious document.
• The malicious documents delivered to the victim contain a macro to fetch the next stage of the payload. The macro, although simple, spawns several child Windows command shells with the intent to evade behavior-based analysis. The macro eventually executes a payload that is designed to execute a Microsoft HTML application.

Kaspersky believes the targets of this campaign are people or entities related to politics and diplomatic activities, which aligns with historic Kimsuky targets.

How ‘Kimsuky’ hackers ensure their malware only reach valid targets – @billtoulashttps://t.co/hvlffA6Ur4

— BleepingComputer (@BleepinComputer) August 25, 2022

Kimsuky’s new safeguards

Kimsuky has implemented new safeguards to ensure the operations malicious payloads are only downloaded by valid targets. These new safeguards are so effective that Kaspersky reported an inability to acquire the final payloads, even after connecting to Kimsuky’s command and control (C2) server.

The campaign’s spear-phishing emails contain a link that takes the victim to a first-stage C2 server which checks the compromised host against a list of valid targets and verifies the existence of several conditions that must be met before the malicious document is delivered.

If the victim does not match the list of targets, they are served an innocuous document. Oddly enough, both the malicious and benign documents are delivered to the user via the same script. The document dropped by the first stage C2 contains a malicious macro that connects the victim to the second stage C2, fetches the next stage payload, and runs it with the mshta.exe process.
One of the C2 scripts generates a unique blog address based on the victim’s IP address by cutting off the last 20 characters of the address’ hashed value. Researchers believe the intent here is to operate a dedicated fake blog for each victim to lend an appearance of legitimacy to the scam and decrease the likelihood of detection.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Kimsuky is a very sophisticated threat actor that has recently made headlines for using Google Chrome extensions to steal emails belonging to persons of interest. Verifying every single individual that clicks on the malicious link is a defensive task requiring a serious level of commitment and resources and demonstrates the increasing degree of maturity Kimsuky and sheds light on its ultimate goal — to perform highly targeted cyberespionage activity. The opportunistic group will clearly go to great ends to hinder any potential reverse-engineering.”

2. Chinese hackers target the Australian government with ScanBox malware

Proofpoint and PwC have jointly identified a cyberespionage campaign delivering the ScanBox exploitation framework. The report dives into the watering hole attack, which is believed to be carried out by TA423.

TA423, also known as Red Ladon and APT40, is a China-based cyberespionage threat actor that is believed to have been active since 2013. The group has targeted a variety of organizations over the years in response to geopolitical events in the Asia-Pacific region, with a focus on the South China Sea.

Previously targeted organizations included defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations.

TA423 has repeatedly caught the eye of international law enforcement; the U.S. Department of Justice indicted several members of the group just last year.

TA423’s recent campaign

TA423’s recent campaign began in April 2022 and involved the deployment of phishing emails that redirected victims to a malicious website delivering the ScanBox malware payload to its victims.

The campaign primarily targeted local and federal Australian government agencies, Australian news media companies, and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea.

The ScanBox-related phishing emails originated from Gmail and Outlook email addresses that Proofpoint believes were created by the threat actor itself. The emails claim to be from someone starting a news website looking for user feedback on their site and contain a link to the malicious site. The malicious URL appears to be customized for each target, but all redirect to the same page to deliver the same ScanBox payload.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“It’s no great surprise that China-based actors continue to target organizations whose activities align with state interests. TA423’s recent activity is a reminder that regardless of the best efforts of U.S. law enforcement, such actions are more often than not an attempt to appease the public and promote the idea that America’s reach is long when it comes to prosecuting international hackers. China’s state-backed threat actors know very well that they are difficult to track and even more difficult to prosecute. Not even a public indictment by the U.S. Department of Justice could stop this group from carrying out its intended espionage mission. The only upside is the insight into the methodology employed by such groups that these indictments often provide.”

“This activity may also highlight a return to the basics for TA423. Its last documented use of ScanBox was during a 2018 campaign after which the threat actor pivoted to RTF template injection and malicious macros. Could ScanBox be experiencing a resurgence among China’s state-backed actors? Time will tell.”

3. New Agenda ransomware customized for each victim

Recent Trend Micro reporting reveals a new piece of targeted ransomware written in the Go programming language.
As evidenced by its ransom notes, the ransomware is called Agenda and is believed to target enterprises in Asia and Africa. Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes in which it is able to run.

Trend Micro collected and analyzed several samples, all of which were 64-bit Windows PE files written in Go and aimed at Windows-based systems. The group distributing the malware was observed targeting healthcare and education organizations in Indonesia, Saudi Arabia, South Africa, and Thailand.

Each ransomware sample was customized for the intended victim, including details such as company ID, RSA Key, processes, and services to kill before encryption, and the ransom amount. Researchers believe the Agenda ransomware group offers affiliates options to customize configurable binary payloads for each victim.

Agenda’s kill chain

Trend Micro dug into a particular incident involving Agenda ransomware and discovered the threat actor behind it using a public-facing Citrix server as a point of entry.

It is believed that the threat actor leveraged a valid account to access the server and later move inside the victim’s network as the ransomware was configured with valid and privileged accounts.

Researchers note that it was less than two days between accessing the Citrix server and the ransomware infection. The threat actor dropped and leveraged scanning tools, such as Nmap and Nping, to scan the network on the first day, and then created a group policy object (GPO) before deploying the ransomware.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Agenda ransomware has proven to be highly customizable and falls right in line with many other ransomware operations that are both increasing their cross-platform compatibility and continuing to evolve their techniques to remain successful and attractive to potential affiliates. Agenda’s ability to take advantage of the safe mode feature of a device allows it to proceed with its encryption routine virtually unnoticed. Agenda is yet another example of the ever-lowering barrier to entry for threat actors looking to engage in ransomware attacks – regardless of sophistication.”

---

Do you have updates or insights to share about this week’s stories? Start a conversation by visiting our discussion forum.
For further reading, catch up on our recent cyber threat intelligence roundups.