CTI Roundup: North Korea’s Kimsuky Cyber Spies at it Again

In this week’s roundup, we analyze a joint cybersecurity advisory highlighting the use of social engineering and impersonation by state-sponsored cyber threat actors with ties to the North Korean government. Next, CTI provides an overview of a report about the split identity of a threat actor known as Asylum Ambuscade, which straddles the line between cybercrime and cyberespionage. Finally, CTI takes a deep dive into a report about the threat actors associated with Cyclops ransomware and its new information-stealing offering.

1. Washington and Seoul expose North Korea’s Kimsuky cyber spies

A June 1 joint cybersecurity advisory highlights the use of social engineering and impersonation by Kimsuky (aka TA406 and Thallium) — a state-sponsored advanced persistent threat group with ties to the Democratic People’s Republic of Korea. The report was authored by the Federal Bureau of Investigation (FBI), the U.S. Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s (ROK) National Intelligence Service (NIS), National Police Agency (NPA), and Ministry of Foreign Affairs (MOFA).

The malicious activity reportedly supports computer network exploitation (CNE), and targets individuals who work in research centers, think tanks, academic institutions, and news media organizations across the globe.

The main purpose of the joint advisory is to highlight Kimsuky’s cyberattack methodology — specifically its use of social engineering and impersonation. The agencies believe that exposing the tactics, techniques, and procedures (TTPs) of one of the DPRK’s more active and effective APTs will raise awareness about their campaigns and help potential targets employ basic cybersecurity practices.

What to know about Kimsuky

In business since 2012, Kimsuky mostly targets diplomats, nongovernmental organizations, think tanks and experts on issues related to the Korean peninsula.

From The Record:

Intelligence agencies and cybersecurity researchers say the group is controlled by North Korea’s military intelligence organization, the Reconnaissance General Bureau (RGB), which has been sanctioned by the United Nations Security Council.

As the new joint advisory explains, Kimsuky plays a big role in the DPRK’s cyber program, which provides the regime with a major portion of its wide-ranging intelligence collection and enables a significant portion of the DPRK’s espionage capabilities.

The allied cybersecurity agencies responsible for co-authoring the joint advisory — and the governments they serve — assess that “the primary goals of the DPRK regime’s cyber program include maintaining consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any political, military, or economic threat to the regime’s security and stability.”

According to the joint advisory, Kimsuky is administratively subordinate to an element within North Korea’s RGB, and its duties within that role include engaging in broad cyber campaigns supporting various RGB objectives and gathering data in support of RGB intelligence requirements (IRs) since at least 2012. All activity is performed in service of Kimsuky’s overarching primary mission: to provide stolen data and valuable geopolitical insight to the North Korean regime.

How Kimsuky uses social engineering and spear phishing

Spear phishing is the actor’s primary means of facilitating initial entry to a target network and gaining access to the victim’s resources and devices.

Kimsuky operators have spent more than a decade refining the art of creating fraudulent communications, each message specifically tailored to appeal to – and deceive – its intended target and trick them into unwittingly initiating a compromise.

From the joint advisory:

A Kimsuky spearphishing campaign begins with broad research and preparation. DPRK cyber actors often use open-source information to identify potential targets of value and then tailor their online personas to appear more realistic and appealing to their victims.

Kimsuky operators will go to significant lengths to lend authenticity to a spear-phishing attack. For example, Kimsuky actors will create email addresses intended to closely resemble email addresses belonging to the actual individuals they seek to impersonate; they will also register authentic-seeming domains whose sole purpose is to host the malicious content of a spear-phishing message. DPRK actors often use domains that, at a glance, closely resemble common internet services and media sites to more effectively deceive targets.

Other notable spear-phishing tactics

Kimsuky actors often impersonate well-known news outlets and journalists, using typo-squatted domains to send spear-phishing emails from addresses that closely resemble legitimate sources.

DPRK cyber actors commonly take on the identities of real people to gain trust and establish rapport in their digital communications. They often compromise email accounts of real people, carrying out research by investigating the legitimate communications within the compromised inbox to appear more convincing in the event the actor decides to insert themselves into an existing communication thread. Scouring the impersonation victim’s inbox also allows the actor to search for new targets, while also harvesting valuable information such as contact lists, social clubs, etc. The DPRK actor can also leverage the victim’s email signature to craft more convincing spear-phishing messages.

From the joint advisory:

“DPRK cyber actors are also known to compromise email accounts belonging to foreign policy experts and subsequently create a secondary email account, using the email account and identity of the expert to communicate with other significant targets.

Kimsuky actors also use multiple personas to engage one target, often using ancillary identities to corroborate the validity of the main impersonation. Forwarding messages from trusted sources is a similar tactic observed in use by DPRK actors.

While some initial spear-phishing emails may contain a malicious link or document (usually password-protected to evade email security measures), it is far more typical for the initial email to contain no malicious content, as its intended purpose is to establish a rapport — and more importantly, trust.

Upon successfully engaging with a target, DPRK actors proceed to compromise the account, device, or network belonging to the target by pushing malicious content — often in the form of a malicious macro embedded within a text document. According to the joint advisory, this document is either attached directly to the email, or stored in a file hosting service like Google Drive or Microsoft OneDrive. These malicious macros, when enabled, quietly establish connections with Kimsuky command-and-control (C2) infrastructure, the goal being acquiring access to the target’s device.

In some cases, Kimsuky actors develop fraudulent — although highly convincing — versions of actual websites, portals, or applications for credential harvesting.

From the joint advisory:

Compromise of a target account can lead to persistent access to a victim’s communications, often through a malware used by Kimsuky actors called BabyShark. Kimsuky actors have also been known to configure a victim’s email account to quietly auto-forward all emails to another actor-controlled email.

Threat actors often impersonate and target journalists, academic scholars, and think tank researchers with social engineering tactics. Communications originating from such impersonations are often used to solicit responses to foreign policy-related inquiries, conduct surveys, request interviews, review documents, request resumes, and offer payments for authoring research papers.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The intelligence targeted for theft and exploitation by the DPRK’s state-sponsored actors like Kimsuky vary widely from campaign to campaign. For example, according to a statement made by the South Korean ministry, Kimsuky has been, directly or indirectly, engaged in North Korea’s satellite development ‘by stealing cutting-edge technologies on weapons development, satellite and space.’”

“Per usual, North Korea dismissed the criticism from Washington and other nations regarding the launch, asserting its sovereign right to space exploration.”

“As stated above, and reiterated by The Record’s article on the subject, impersonation campaigns by groups like Kimsuky are dangerous because some targets may underestimate the threat these attacks pose, ‘either because they do not perceive their research and communications as sensitive in nature, or because they are not aware of how these efforts fuel the regime’s broader cyberespionage efforts.’”

2. Asylum Ambuscade: crimeware or cyberespionage?

A new report published to ESET’s We Live Security blog explores the somewhat split identity of a threat actor tracked as Asylum Ambuscade, which straddles the line between cybercrime – engaging in the proliferation of crimeware – and cyberespionage.

What is Asylum Ambuscade?

Asylum Ambuscade is first and foremost a cybercrime group — albeit one that engages in a significant range of cyberespionage operations “on the side.” The group has been in operation since 2020.

The group’s existence and activities were first made public in March 2022, thanks to researchers at Proofpoint describing “likely nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.”

The fact that this activity seemed to emerge out of the blue was not lost on Proofpoint’s researchers, who included the word “ambuscade” — or ambush — in its name.

However, there were many threat groups and offshoots popping up across the threat landscape in the years and months leading up to the outbreak of the Russia/Ukraine conflict. So, what sets this group apart?

Asylum Ambuscade is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe. The group also conducts espionage against government entities in Europe and Central Asia. And most of its implants use script languages like AutoHotkey, JavaScript, Lua, Python, and VBS.

So — forgetting for a moment that we’re talking about a cyber threat actor whose skills seem more suited to a financially-motivated cybercriminal collective — let’s examine what Asylum Ambuscade spends its off-hours engaging in: espionage.

Cyberespionage campaigns

Asylum Ambuscade has reportedly been engaging in cyberespionage campaigns since at least 2020. We Live Security’s blog post references observing previous attacks on government officials and employees of nationalized companies in Central Asia and Armenia as evidence of this fact.

Based on Proofpoint’s report, it’s clear that the group was observed targeting official personnel associated with the governments of various European countries bordering Ukraine in 2022. The goal of these campaigns was the theft of information and webmail credentials from the official webmail portals leveraged by the targeted government individuals.

The attacks which comprised these campaigns often began with spear phishing emails accompanied by weaponized Excel attachments with malicious VBA code. This code was responsible for downloading MSI packages from a remote server under the attackers’ control, and installing SunSeed, which is a downloader written in Lua.

This is not to say that the attachments lacked variations. In June, 2022 Asylum Ambuscade exploited the widely-reported Follina vulnerability (CVE-2022-30190). This was a significant departure from the usual use of malicious VBA code.

In these attack variations, if the attackers found the targeted device worth further effort, they would deploy the next stage — the installation of “AHKBOT.” A downloader written in AutoHotkey whose functionality can be expanded with the aid of various plugins, AHKBOT facilitates intelligence gathering from the compromised machine. This is just a sampling of the group’s toolset.

Cybercrime campaigns

Asylum Ambuscade has reportedly been engaging in financially motivated cybercrime campaigns since early 2020. And since January 2022 its cybercriminal operations have net a whopping 4,500 global victims. The group’s victimology is dispersed primarily across North America, but victims have also been logged in Asia, Africa, Europe, and South America.

With regards to Asylum Ambuscade’s targeting patterns, the group’s victimology is fairly diverse and includes individuals, cryptocurrency traders, and a range of small and medium businesses (SMBs) belonging to various industry verticals.

While the purpose underlying much of the threat actor’s activity and targeting is pretty obvious (for example, the group targets cryptocurrency traders with the goal of stealing cryptocurrency), some of its goals aren’t so apparent at first glance. For example, the blog post’s authors concede that little is known regarding the ways in which Asylum Ambuscade monetizes access to SMBs. However, the researchers theorize that the actor may simply sell the access to other cybercriminal organizations who then leverage the stolen access to deploy ransomware or engage in other types of extortion/data theft. The authors also note that this has not materialized in any observed telemetry.

When it comes to the attack chain leveraged by Asylum Ambuscade in support of its crimeware activities, there is significant overlap between the compromise cycle used to aid in accomplishing the group’s cyberespionage objectives. The most obvious difference is the initial access vector.

According to the report, a secondary compromise vector used by the group during cybercrime campaigns makes use of malicious Google Ads, which redirect victims to websites that deliver malicious JavaScript files.

From We Live Security:

Multiple HTTP redirections in a Traffic Direction System (TDS). The TDS used by the group is referred to as 404 TDS by Proofpoint. It is not exclusive to Asylum Ambuscade and we observed it was, for example, used by another threat actor to deliver Qbot.

The group has also been developing SunSeed equivalents using other scripting languages like Tcl and VBS as well as an AHKBOT lookalike in Node.js, which the report’s authors track as NODEBOT.

Attribution

Due to the striking similarities in nearly all aspects of the compromise chains, it’s apparent that both the cyberespionage campaigns and the cybercrime campaigns are the work of a singular group. This assertion is further reinforced by the fact that both SunSeed and AHKBOT have been widely utilized in attacks supporting both goals. The authors of the source material for this overview are doubtful that SunSeed and AHKBOT are currently being sold on the underground market.

From We Live Security:

We don’t believe that SunSeed and AHKBOT are sold on the underground market. These tools are not very sophisticated in comparison to other crimeware tools for sale, the number of victims is quite low were it a toolset shared among multiple groups, and the network infrastructure is consistent across campaigns… As such, we believe that Asylum Ambuscade is a cybercrime group that is doing some cyberespionage on the side.

From here, the blog post goes into highly technical detail regarding Asylum Ambuscade’s toolset; providing analysis and insight into everything from the malicious JavaScript files deployed during most of the group’s crimeware campaigns, to the group’s custom first-stage downloaders, second-stage downloaders, and the myriad plugins which support SunSeed and AHKBOT.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Asylum Ambuscade is first and foremost a cybercriminal threat actor, as the group’s overarching motivator appears to be financial in nature.”

“With that in mind, and because it’s highly unusual to observe a cybercriminal moonlighting by running dedicated cyberespionage operations, it’s fair to say that the espionage activities attributed to this actor could quite possibly be contracted work, performed at the behest of an as-of-yet unidentified nation-state’s government or at the request of a government-backed hacking group seeking to distance itself.”

“It is not unusual for state-sponsored threat actors to “farm out” certain aspects of their work to cyber mercenaries. For example, of Iran’s APTs spring immediately to mind. However, it seems there’s more here than meets the eye. CTI will continue to monitor this ongoing story.”

3. Cyclops ransomware and stealer combo: a dual threat

A recent report by Uptycs dives into the threat actors associated with Cyclops ransomware and its new information-stealing offering.

Cyclops ransomware targets all major operating systems including Windows, Linux, and macOS. The operation now promotes a new binary designed to steal data from both Windows and Linux devices.

How researchers discovered Cyclops

Uptycs stumbled across a new ransomware-as-a-service (RaaS) provider offering ransomware services along with a separate binary for stealing purposes during a routine dark web monitoring session. The threat actor behind the RaaS promotes these offerings on various forums and requests a portion of profits made by those using its services. It also provides a separate panel distributing ransomware across three different operating systems.

Ransomware binary analysis

As noted previously, Cyclops ransomware has variants for Windows, Linux, and macOS.

Windows

Uptycs downloaded the Windows archive file from the Cyclops admin panel and discovered the existence of the builder binary along with a readme.txt file.

The threat actor privately shared a builder ID for creating a ransom payload with the name locker.exe. This payload is designed to infect both local and networked machines and its accompanying text file contains the payload’s execution instructions.

The payload will scan and identify processes running on the targeted machine and will terminate any processes that could potentially interrupt its encryption process.

The payload uses the GetLogicalDriveStrings API to retrieve system logical drive information. After obtaining the drive letters, it will enumerate the folders and drop a ransom note titled “How To Restore Your Files.txt” on the disk. It will check a files extension before encryption to see if it matches a predefined list. If it does not match, it will encrypt the file and append the .cyclops extension.

An attacker using this ransomware binary can obtain shadow copy details from a victim’s system by simply executing a SELECT*FROM Wind32_ShadowCopy query. Its output includes each shadow copy ID, creation time, volume, name, and more. The payload will then initiate the deletion of a specific shadow copy, which is identified by its ID. The deletion is done via the execution of the Windows Management Instrumentation command line (WMIC) utility.

Linux

The Linux variant is a golang-compiled file with its function names stripped to make reverse engineering more difficult.

After executing the sample, Uptycs found it to provide options to encrypt files in a specific path, virtual machines, or enable verbose output.

This variant will drop a ransom note in every folder in encrypts and will then generate a report related to found files, encrypted files, encrypted error files, time, and more.

macOS

The hash for this variant is a golang-compiled file and is in the form of a mach-O binary.

When executed, it provides options to encrypt files in a specific path, virtual machines, or enable verbose output.

The option chosen for ransom execution places the encrypted files in a designated folder along with the ransom note.

Stealer binary analysis

Uptycs is still diving into the technical details of the Cyclops stealer variants but has provided what knowledge they currently have.

Windows stealer: Uptycs downloaded the Windows stealer from the Cyclops admin panel. After extracting the downloaded archive file, researchers obtained two files: stealer.exe and config.json.

The stealer is an executable binary for x64 systems and extracts various system information from targeted machines. The stealer then reads its config.json file which contains a list of filenames with corresponding extensions and sizes.

The stealer will then enumerate directories and check for the existence of targeted files and specific file extensions. If a match is found, it will create a new password protected zip file that includes an exact copy of the file along with its folder tree structure. This data is then exfiltrated to the threat actor’s server.

Linux stealer: Similar to the Linux variant, two files were discovered from the archive file: stealer.linux and config.json.

This stealer begins by reading config.json, which again contains a filename list with corresponding extensions and sizes. Like the Windows variant, it will enumerate directories, check for the presence of targeted files and file extensions, and create a password-protected zip file for matches.

The zip files are then uploaded to api[.]bayfiles[.]com/upload and api[.]anonfiles[.]com/upload.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Cyclops is a fairly new RaaS operation that was recently documented for the first time. In addition to targeting Windows, Linux, and macOS with its ransomware, the operation has expanded to include an information stealer malware offering.”

“These offerings, paired with its complex encryption scheme, clearly indicate that the threat actor behind the operation is sophisticated. Keeping in mind that Cyclops offers all this while not having been around for very long, we can begin to understand just how quickly a no-name ransomware operation can become a prominent threat.”

---

Do you have insight these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.