Kimsuky's APT Tactics Continue To Increase With More Tagert, Entities In The Asia Pacific Must Be More Alert
JAKARTA - It has been almost 10 years since Kaspersky experts uncovered an active cyber espionage campaign specifically targeting South Korean Think-Tank. The group, dubbed "Kimsuky", continues to show productive equipment updates and tactics to target North Korean-related entities.
Senior Kaspersky experts revealed more of his findings, including the possibility of this Advanced Persistent Threat (APT) threat actor in expanding his operations with his abundant ability.
Seongsu Park, Main Security Researcher for the Global Research and Analysis Team (GReAT) at Kaspersky, found that the well-known group continuously configured command and multi-phase (C2) command and control servers with various commercial hosting services located around the world.
Command and control servers (command and control) are servers that help threat actors control their malware and send malicious commands to their members, set spyware, send payloads, and more.
Park said in 2019 there were less than 100 C2 servers, and in July this year, Kimsuky had 603 malicious command centers with more attacks likely reaching beyond the Korean peninsula.
"History shows that government agencies, diplomatic entities, media, and even cryptocurrency businesses in Asia Pacific should be aware of this hidden threat," Park said.
The number of C2 servers skyrocketing is part of Kimsuky's ongoing operations in Asia Pacific and its surroundings. In early 2022, Kaspersky's team of experts observed another wave of attacks targeting diplomatic and academic journalists and entities in South Korea.
The attack was dubbed the "GoldDragon" cluster, the threat actor started the chain of infection by sending a spearphishing email containing a macro embedded Word document.
With further analysis, Park found a server side script linked to the GoldDragon cluster, which allows experts to map out group C2 operations.
Another important technique used by Kimsuky is the use of the client verification process to confirm that the relevant victims they want to target.
We have seen that the Kimsuky group continues to develop a malware infection scheme and adopt new techniques to hinder analysis. The difficulty in tracking this group is the difficulty of getting the full chain of infection," Park added.
As we can see from the research, recently, threat actors adopted victim verification methodology on their command and control servers. Despite the difficulty of getting server side objects, Park believes that if they analyze attacker and malware servers from the victim's side, it can fully understand how threat actors operate their infrastructure and the types of techniques used.