Research Saturday 1.30.21
Ep 168 | 1.30.21

The Kimsuky group from North Korea expands spyware, malware and infrastructure.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Yonatan Striem-Amit: We encountered the malware during research for customer purposes, and we started to investigate what is this new malware and what is going on here?

Dave Bittner: That's Yonatan Striem-Amit. He's CTO and co-founder at Cybereason. The research we're discussing today is titled, "Back to the Future: Inside the Kimsuky KGH Spyware Suite."

Yonatan Striem-Amit:: We uncovered that, A, it was part of the – likely associated with Kimsuky, so it's likely their activity, and B, represents a new technology and new block of intelligence built by the Kimsuky people.

Dave Bittner: Well, let's go through the research together, can you start off by giving us a little of the background here? What's some of the history when it comes to the Kimsuky group?

Yonatan Striem-Amit: Absolutely. Kimsuky is a fascinating group, often considered to be officially working for the North Korean government or at the very least affiliated with them. Their purpose is clearly political. They've historically been targeting mostly targets within the peninsula, talking about everything from think tanks and South Korean officials and similar groups relating to the South Korea and North Korea relationship. So, as we're tracking them over the last couple of years, we're seeing the Kimsuky group transition from what originally was a very localized within the peninsula looking at political targets, whether these are human rights activists or think tanks or South Korean institutions with defense analysis and education, and we see them expanding the reach towards new targets that are serving political goals for the North Korean government – everything from the global think tanks, human rights organizations, and government research institutes, journalists who've covered the area, and recently also companies working on COVID-19 and COVID-related research.

Dave Bittner: Well, one of the things that you point out here in your research is the complexity of their infrastructure. Can you give us a description – what's going on when it comes to that aspect?

Yonatan Striem-Amit: Kimsuky is adopting a relatively complex modern infrastructure, everything from creating fake websites across various entities, using compromised assets that have legitimate history, compromising them and using them as jumpboxes and command-and-control centers. Infrastructure from a code perspective, software they developed that is able to become very complex and mature spy kits, what's known in the industry as "RATs," remote access toolkits, which basically give the operators of those tools complete control of every machine they're hitting.

Yonatan Striem-Amit: So, it starts with a phishing campaign, most often delivered as a form of document, an attachment to an email talking about political changes in the area, or, you know, groups or talks in the area, or in this particular case, relationship with Japan and the Japanese Prime Minister, hoping that victims will end up executing that document and exploiting the vulnerabilities inside to then take over their machines and start collecting data from their environments. They are using infrastructure that is dedicated and has been registered as recently as early 2020, so it's a very active campaign, and using various techniques to try to hide and evade detection across the assets that they have access to.

Dave Bittner: Now, one of the things you speak of here in your research is the way that they use anti-forensics. You mentioned backdating or timestomping, is how you refer to it. Can you take us through some of that?

Yonatan Striem-Amit: Absolutely. One of the tricks they did here, which was interesting, is backdating the software or timestomping the software so it appears to have been created many years ago. 2016, 2015, in that area. The motivation for that is often to confuse researchers when they try to look at the sea of information that they have available for them and trying to tell apart the wheat from the chaff, and finding what's worthwhile. A lot of time, if something has been known and existing for a long time, it's very likely it does not exhibit new behaviors. This trick about timestomping is really their attempt to evade the researchers' attention, thinking, oh, this is old and established, we don't have a reason to read that.

Yonatan Striem-Amit: However, when you start decomposing the other assets, whether it's code or servers on the Internet or a new domain that they use for communication, you quickly realize that all of them are relatively recent – late 2019 to the past couple of months in 2020 – you realize this is just a attempt to throw people out of the – off their scent, and not the real creation date of this network.

Dave Bittner: Hmm. Now, they're using a malware suite that is called KGH. What's going on with that?

Yonatan Striem-Amit: So, I don't have any interesting insight on the name itself. The string "KGH" comes from within the malware itself. So, somebody in their build environment used the word KGH there. We do see, due to some operational mistakes from their end, that they have leaked a little bit of information on how they're doing. So, the project that was used to build this is called "KGH." We know that because the malware itself, the authors of the malware that left some clues – accidentally, most likely – in the malware that it was compiled within a SPY framework, and this is a KGH browser exploitation toolkit. It's a part of a known toolkit for them. The word the "KGH" has been known and associated with North Korea and Kimsuky group in the past, all the way from 2017 research by Ahnlab, which is a great South Korean-centered research entity and vendor. It's very likely that they've made a similar mistake of leaking that information multiple times.

Dave Bittner: And they're making use of Word documents as well?

Yonatan Striem-Amit: Absolutely. One of the critical ways they deliver the power is by sending phishing emails to their targets. The phishing emails have subjects such as "interview with a North Korean defector." This would have a relatively high activation rate when they send it to various South Korean targets, as well as think tanks globally. If you had received an email – if the North Korean-South Korean relationship with something that you deeply care, a think tank in the area, and you had received an email of kind of a boutique interview, you are more likely to open this. So, the psychological element of this attack are targeting with phishing content that is generated towards those targets. For example, for other targets, they use the interview with the Prime Minister of Japan as a way to encourage people to open this data.

Dave Bittner: Well, take me through the various functionalities that they're installing here, the bits of software – I mean, there's a lot of different things that are in play here.

Yonatan Striem-Amit: Absolutely. The KGH_SPY and the kits we discovered here is a previously unknown kit that gives the operator basically unfettered control of your environment. It starts with many anti-malware evasions. So, to get to execute what's known as a fileless malware, so it doesn't actually have to drop multiple items on the disk and evasively executes its code on the machine. Once it's running, it is establishing connection back to the operator on the command-and-control channels through various assets on the Internet they have already, ahead of time, taken control of, and gives the operators control of the environment. That could be things like recording audio. That could be things like stealing information from your browser, credentials, software that includes recording your keys – as you type passwords or addresses, they can steal the information – taking screenshots, installing new software, and basically really doing anything as if they were physically sitting in the computer right now on their own.

Dave Bittner: Now, another thing that you all have tracked here is a new downloader that you all have named CSPY, I believe.

Yonatan Striem-Amit: Yes. So, CSPY, again, is able to – it's part of a modular approach to malware authoring. What they send initially isn't the full malware. They only send a small beacon whose purpose is, once executed, is to reach out through the Internet and download the rest. The purpose of this has always been about smaller delivery and evasion. If this data is not executed, nothing is lost for them. But once it's executed, it starts the cascading effect of downloading more and more content from the Internet in order to give the operators of this malware more control. This is a common technique by malware authors, but shows a level of sophistication in building new detection capabilities and new deployment capabilities for them. It's kind of the way in which – you can equate that to a software vendor writing for you a very small installer as a beacon, but then goes back and understands and downloads the rest of the payload.

Dave Bittner: And CSPY itself has some anti-analysis techniques built into it.

Yonatan Striem-Amit: CSPY itself has a few built-in evasion techniques built into it, indeed. It starts by actually using a signed certificate. This appears to be a signed software. Signed signatures are used a lot of time in the industry to verify the authenticity of software. However, in this particular case, the certificate they use is by, of course, a different company called EGIS, which of course did not do any have anything to do with the malware itself – it was simply stolen from them and then used to sign the malware and execute it. The certificate itself has been revoked, which means it is known globally that this is stolen and is no longer should be trusted. However, many systems are not able to correctly qualify and classify stolen signatures as being fake. And that's one of the evasion techniques it's using.

Yonatan Striem-Amit: The second is about the usual packing, hiding of data, checking whether it's running on a virtual machine to thwart analysis, checking whether the memory looks as though it's running within a testing environment used by researchers. The content of the malware itself is encrypted, so the software, the CSPY software itself, decrypts itself as it's executing, so that cursory look, by anybody but a very experienced reverse engineer, is unable to find all of this and any trace of this as being malicious. All of these tricks are targeted towards both automated analysis, thwarting automated analysis, but also making it very difficult for researchers to take them down or to really understand what's going on there.

Dave Bittner: So, what are the take-homes for you? What are the things of note that people need to be aware of when it comes to Kimsuky?

Yonatan Striem-Amit: We're saying Kimsuky is a very active group currently working really towards political agendas within the – for the North Korean government. The operations that they execute are meant to further what is right on top of mind for the political leadership in the area. Unlike other North Korean groups who often dabble with financial-related activities in order to fund some operation, Kimsuky is purely – looks to be purely an intelligence operation. And as such, they are very capable. They're increasing their sophistication, their abilities. They're overly – they are still relying on the tried-and-true methods of entering through phishing and entering through user mistakes to get access for it. And therefore, the first thing, of course, is to remember the basic IT hygiene and training around what you open and kind of not falling prey into all of those traps.

Yonatan Striem-Amit: The other, of course, are adopting a modern endpoint prevention, endpoint security able to find, detect, and break the Kimsuky attack attack tools. And be vigilant.

Dave Bittner: Our thanks to Yonatan Striem-Amit for joining us. The research is titled, "Back to the Future: Inside the Kimsuky KGH Spyware Suite." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.