Kimsuky APT Uses New Malware Implant

Delaware, USA – March 4, 2020 – North Korean APT group conducts a cyber-espionage campaign using new malware implants updated after their recent analysis. Kimsuky APT has been active since at least September 2013 targeting South Korean think tank as well as DPRK/nuclear-related targets. Cybaze-Yoroi ZLab analyzed the sample discovered on February 28 and compared tools used in the ongoing campaign to the dropper described in the recent research of ESTsecurity firm.

“Unlike other APT groups using long and complex infection chains, the Kimsuky group leverages a shorter attack chain, but at the same time, we believe it is very effective in achieving a low detection rate. The infection starts with a classic executable file with “scr” extension, an extension used by Windows to identify Screensaver artifacts. In the following table are reported some information about the sample,” researchers said. “Upon execution, the malware writes a file named “.tmp.db” inside the “%AppData%\Local\Temp” path through the usage of the Microsoft Utility “regsvr32.exe”. Despite the “.db” extension, the written file is actually a well formed DLL that acts as the second stage of the malware infection.” The dropper also creates a legitimate document in the Temp folder and BAT file which deletes traces of the infection process. Every 15 minutes, the malware reaches the command-and-control server and sends information about the infected system. Rules to detect Kimsuky implant are available on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/1Jjvdmy4le2o/
You can also explore the MITRE ATT&CK section to learn more about the techniques used by the group and find relevant content to detect them: https://tdm.socprime.com/att-ck/