The most recent hacking campaign by North Korean APT Kimsuky was launched in late January 2022 and is still ongoing. This time, Kimsuky hackers are armed with commodity open-source remote access tools (RATs) installed with the tailored malware Gold Dragon.
To identify that your system was compromised with the Gold Dragon malware, use the following rules provided by our skilled Threat Bounty developers Furkan Celik and Osman Demir:
Quasar Gold Dragon Detection (February) (via registry event)
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Microsoft Defender ATP, Apache Kafka ksqlDB, and Open Distro.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Persistence tactic with Boot or Logon Autostart Execution as the main technique (T1547).
Suspicious Threat Actor Activity By Targeting Companies Specializing in Carbon Emissions (via process_creation)
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Microsoft Defender ATP, Apache Kafka ksqlDB, AWS OpenSearch, Securonix, and Open Distro.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution and Defense Evasion tactics with Command and Scripting Interpreter (T1059), Signed Binary Proxy Execution (T1218) as the main techniques.
The full list of detections associated with the Kimsuky APT in the Threat Detection Marketplace repository of the SOC Prime’s platform is available here.
SOC Prime urges security professionals to unite against Russia-backed сyber-attacks that accompany military aggression against Ukraine. SOC Prime’s Quick Hunt module allows efficiently navigating through an extensive collection of threat hunting content associated with Russian aggression with the following tags #stopwar, #stoprussian, and #stoprussianagression. The dedicated threat hunting queries are available for FREE via the link below enabling teams to instantly search for relevant threats:
Full collection of hunting content to detect Russia-originated threats
Eager to connect with the industry leaders and develop your own content? Join SOC Prime’s crowdsourced initiative as a content contributor and share your own Sigma and YARA rules with the global cybersecurity community while strengthening collaborative cyber defense worldwide.
View Detections Join Threat Bounty
Kimsuky, aka TA406, is a North Korean-linked APT group active since 2013. The most recent campaign that started in late January is characterized by hackers using commodity RATs in targeted attacks against South Korean organizations. Utilizing commodity RATs allows threat actors to concentrate their efforts on generating later-stage malware that requires more specific functionality based on the protection tools and procedures available on the infected machine. In the latest attacks, hackers distributed an additional file (“UnInstall_kr5829.co.in.exe”) with xRAT to delete their traces in the compromised system.
According to ASEC ’s researchers, Kimsuky used a variant of their custom backdoor Gold Dragon. It is a second-stage backdoor installed through the exclusive installer (“installer_sk5621.com.co.exe”). The installer then creates a new registry entry to ensure the malware payload’s persistence (“glu32.dll”). Gold Dragon Backdoor analysis shows that hackers use it to download an xRAT tool to manually steal the data from the infected machine.
Drastic times call for drastic measures! Join forces with SOC Prime’s Detection as Code platform to enhance your threat detection capabilities with the power of a global community of cybersecurity experts. You can also enrich the collaborative expertise by contributing to SOC Prime’s crowdsourcing initiative. Write and submit your Sigma and YARA rules, get them published to a platform, and receive recurring rewards for your input.