CINXE.COM

<!doctype html><html class="no-js" lang="en"><head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <meta name="author" content="Cybereason Nocturnus"> <meta name="description" content="The Cybereason Nocturnus Team has been tracking a North Korean cyber espionage group known as Kimsuky and has identified a new spyware suite along with new attack infrastructure."> <meta name="generator" content="HubSpot"> <title>Back to the Future: Inside the Kimsuky KGH Spyware Suite</title> <link rel="shortcut icon" href="https://www.cybereason.com/hubfs/cr-favicon-1.png"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta property="og:description" content="The Cybereason Nocturnus Team has been tracking a North Korean cyber espionage group known as Kimsuky and has identified a new spyware suite along with new attack infrastructure."> <meta property="og:title" content="Back to the Future: Inside the Kimsuky KGH Spyware Suite"> <meta name="twitter:description" content="The Cybereason Nocturnus Team has been tracking a North Korean cyber espionage group known as Kimsuky and has identified a new spyware suite along with new attack infrastructure."> <meta name="twitter:title" content="Back to the Future: Inside the Kimsuky KGH Spyware Suite"> <style> a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px} </style> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386203/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443237/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042214535/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/1669911113479/module_86933076631_CR_-_Sticky_CTA_Bar.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hubfs/hub_generated/module_assets/1/34473990280/1737144821509/module_CR_-_Footer_Full__en_US.min.css">  <script> var _hsp = window._hsp = window._hsp || []; window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} var useGoogleConsentModeV2 = true; var waitForUpdateMillis = 1000; var hsLoadGtm = function loadGtm() { if(window._hsGtmLoadOnce) { return; } if (useGoogleConsentModeV2) { gtag('set','developer_id.dZTQ1Zm',true); gtag('consent', 'default', { 'ad_storage': 'denied', 'analytics_storage': 'denied', 'ad_user_data': 'denied', 'ad_personalization': 'denied', 'wait_for_update': waitForUpdateMillis }); _hsp.push(['useGoogleConsentModeV2']) } (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-TJVVB7C'); window._hsGtmLoadOnce = true; }; _hsp.push(['addPrivacyConsentListener', function(consent){ if(consent.allowed || (consent.categories && consent.categories.analytics)){ hsLoadGtm(); } }]); </script>  <script src="https://use.typekit.net/vyv2ljd.js"></script> <script>try{Typekit.load({ async: false });}catch(e){}</script> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script> <link rel="preload" href="/hubfs/__dam/fonts/ionicons.eot" as="font" type="font/otf" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Regular.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/criteria/Criteria-CF-Medium.woff2" as="font" type="font/woff2" crossorigin> <link rel="preload" href="/hubfs/dam/fonts/peristyle/Peristyle-Black.woff2" as="font" type="font/woff2" crossorigin> <link rel="amphtml" href="https://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite?hs_amp=true"> <meta property="og:image" content="https://www.cybereason.com/hubfs/_Kimsuky%20KGH%20Spyware%20Suite%20-%20image.png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="630"> <meta name="twitter:image" content="https://www.cybereason.com/hubfs/_Kimsuky%20KGH%20Spyware%20Suite%20-%20image.png"> <meta property="og:url" content="https://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:creator" content="@cr_nocturnus"> <link rel="canonical" href="https://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"> <meta property="og:type" content="article"> <link rel="alternate" type="application/rss+xml" href="https://www.cybereason.com/blog/rss.xml"> <meta name="twitter:domain" content="www.cybereason.com"> <script src="//platform.linkedin.com/in.js" type="text/javascript"> lang: en_US </script> <meta http-equiv="content-language" content="en"> <link rel="stylesheet" href="//7052064.fs1.hubspotusercontent-na1.net/hubfs/7052064/hub_generated/template_assets/DEFAULT_ASSET/1738858830054/template_layout.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470223313/1696396395659/__CR_Web_Platform/CSS/cr-master__cta.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hubfs/hub_generated/template_assets/1/34470477360/1736810313166/template_cr-master__main.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35275979682/1642096258129/__CR_Web_Platform/CSS/ionicons.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42760289143/1724041950600/__CR_Web_Platform/CSS/cr-mln__build.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/34470224480/1635957556830/__CR_Web_Platform/CSS/bulma/cr-framework__bulma-columns.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/35291999472/1696396871390/__CR_Web_Platform/CSS/bulma/cr-framework__bulma.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42363645447/1635957556555/__CR_Web_Platform/CSS/hamburger-animation.min.css"> <link rel="stylesheet" href="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507091846/1635957557027/__CR_Web_Platform/CSS/animate.min.css"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Inter:wght@100;200;300;400;500;600;700;800;900&display=swap" rel="stylesheet"> <script src="/hubfs/dam/plugins/marker-animation.js"></script> <script> $(document).ready(function() { $('.highlight').markerAnimation({ "color":'var(--cr-yellow)', "font_weight":'normal', "background-size": '200% 1.2em' }); }); </script> <style> .cr-mln__blog-post .container-is-blog.cr-mln__blog-post--body .column:nth-of-type(2) img { background: #FFFFFF; border: 1px solid #CCCCCC; border-radius: 5px 5px 5px 5px; padding: 10px; } </style> </head> <body class=" hs-content-id-36859260903 hs-blog-post hs-blog-id-5272851739" style="">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TJVVB7C" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  <div class="header-container-wrapper"> <div class="header-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433790649568" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section id="cr-malicious-life-network__tier-one-header" class="position-flex"> <div class="#"> <div id="logo"><a href="https://www.cybereason.com"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-black.png"></a></div> <div id="back-to"> <a href="https://www.cybereason.com">Back to <span>Cybereason.com</span></a> </div>  <button class="hamburger hamburger--collapse" type="button"> <span class="hamburger-box"> <span class="hamburger-inner"></span> </span> </button> <div class="cr-mln__hamburger-menu--overlay"> <ul> <li><a href="https://www.cybereason.com/blog/all"><span class="underline">All Posts</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> <div class="subscribe"> <a href="#blog-subscribe">Subscribe</a> </div> </div>  </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget mln-homepage" style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1615433785464566" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><section class="cr-malicious-life-network__hero-main base"> <div class="container-is-blog columns hero-content page-center"> <div class="column is-5-fullhd is-5-desktop is-12-touch"> <a href="/blog"><img class="cr-mln-logo" src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-malicious-life-logo-v2.png"></a> </div> <div class="column is-7-fullhd is-7-desktop is-hidden-mobile is-hidden-tablet-only"> <div class="cr-mln__search-subscribe"> <div class="cr-mln__search"> <a href="#cr-search-modal" class="search-btn"><img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/cr-blog-icon--search-dark-gray.png" alt="Search"></a> </div> <div class="cr-mln__subscribe"> <a class="btn-subscribe" href="#blog-subscribe">Subscribe</a> </div> </div> <div class="cr-mln__category-nav"> <ul> <li><a href="/blog/category/all"><span class="underline">All</span></a></li> <li><a href="/blog/category/research"><span class="underline">Research</span></a></li> <li><a href="/blog/category/podcasts"><span class="underline">Podcasts</span></a></li> <li><a href="/blog/category/webinars"><span class="underline">Webinars</span></a></li> <li><a href="/blog/category/resources"><span class="underline">Resources</span></a></li> <li><a href="/blog/category/videos"><span class="underline">Videos</span></a></li> <li><a href="/blog/category/news"><span class="underline">News</span></a></li> </ul> </div> </div> </div>  <div class="container-is-blog columns is-gapless is-hidden-desktop cr-mln__search-subscribe--mobile"> <div class="column"> <a class="search-btn">Search</a> </div> <div class="column"> <a class="#" href="#blog-subscribe">Subscribe</a> </div> </div>   <div id="cr-search-modal">  <div id="btn-close-modal" class="close-cr-search-modal"> X </div> <div class="modal-content"> <div class="container columns"> <div class="column"> <div class="cr-search-modal__search-bar"> <h3>Search</h3> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search..."> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> </div> </div> </div> </div>  </section></div> </div> </div> </div> </div> </div> <div class="body-container-wrapper"> <div class="body-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-blog_content " style="" data-widget-type="blog_content" data-x="0" data-w="12"> <div class="cr-mln__blog-post"> <div class="container-is-blog columns is-multiline page-center"> <div class="column is-8-fullhd is-8-desktop is-offset-2-fullhd is-offset-2-desktop is-10-tablet is-offset-1-tablet"> <div class="featured-image"><img src="https://www.cybereason.com/hubfs/_Kimsuky%20KGH%20Spyware%20Suite%20-%20image.png" alt=""></div> <h1><span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">Back to the Future: Inside the Kimsuky KGH Spyware Suite</span></h1> <div class="cr-mln__post-author-share"> <div id="hubspot-author_data" class="hubspot-editable cr-mln__post-meta" data-hubspot-form-id="author_data" data-hubspot-name="Blog Author"> <span class="descriptor">Written By</span> <p><span class="author">Cybereason Nocturnus</span></p> </div> </div> </div>   <div class="container-is-blog columns is-multiline page-center cr-mln__blog-post--body"> <div class="column is-7-fullhd is-7-desktop is-10-tablet is-10-mobile is-offset-1-fullhd is-offset-1-desktop is-offset-1-tablet is-offset-1-mobile"> <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p><strong>Research by:</strong> Assaf Dahan, Lior Rochberger, Daniel Frank and Tom Fakterman</p>  <p>The <a href="/company/nocturnus" rel="noopener" target="_blank"><span>Cybereason Nocturnus Team</span></a> has been tracking various North Korean threat actors, among them the cyber espionage group known as <a href="https://attack.mitre.org/groups/G0094/" rel="noopener" target="_blank"><span>Kimsuky</span></a>, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe. Some of their observed targets include:</p> <p style="padding-left: 40px; line-height: 1.75;"><span style="font-size: 20px;">• Pharmaceutical/Research companies working on COVID-19 vaccines and therapies</span><br><span style="font-size: 20px;">• UN Security Council</span><br><span style="font-size: 20px;">• South Korean Ministry of Unification </span><br><span style="font-size: 20px;">• Various Human Rights Groups</span><br><span style="font-size: 20px;">• South Korean Institute for Defense Analysis</span><br><span style="font-size: 20px;">• Various Education and Academic Organizations</span><br><span style="font-size: 20px;">• Various Think Tanks</span><br><span style="font-size: 20px;">• Government Research Institutes</span><br><span style="font-size: 20px;">• Journalists covering Korean Peninsula relations</span><br><span style="font-size: 20px;">• South Korean Military</span></p> <p>On October 27th, the <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" rel="noopener" target="_blank"><span>US-CERT published a report summarizing Kimusky’s recent activities</span></a> and describing the group’s TTPs and infrastructure.</p> <p>Combining the information in the report with the intelligence accumulated by Cybereason Nocturnus over time, the researchers discovered a previously undocumented modular spyware suite dubbed KGH_SPY that provides Kimsuky with stealth capabilities to carry out espionage operations. </p> <p>In addition, Cybereason Nocturnus uncovered another new malware strain dubbed CSPY Downloader that was observed to be a sophisticated tool with extensive anti-analysis and evasion capabilities, allowing the attackers to determine if  “the coast is clear” before downloading additional payloads. </p> <p>Lastly, the Cybereason Nocturnus team identified new server infrastructure used by Kimsuky that overlaps with previously identified Kimsuky infrastructure.</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky1.png?width=724&name=kimsuky1.png" alt="kimsuky1" width="724" style="width: 724px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky1.png?width=362&name=kimsuky1.png 362w, https://www.cybereason.com/hs-fs/hubfs/kimsuky1.png?width=724&name=kimsuky1.png 724w, https://www.cybereason.com/hs-fs/hubfs/kimsuky1.png?width=1086&name=kimsuky1.png 1086w, https://www.cybereason.com/hs-fs/hubfs/kimsuky1.png?width=1448&name=kimsuky1.png 1448w, https://www.cybereason.com/hs-fs/hubfs/kimsuky1.png?width=1810&name=kimsuky1.png 1810w, https://www.cybereason.com/hs-fs/hubfs/kimsuky1.png?width=2172&name=kimsuky1.png 2172w" sizes="(max-width: 724px) 100vw, 724px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">KGH backdoor caught by Cybereason Platform</span></em></p> <h3 style="font-size: 36px; text-align: left; line-height: 2;"><span style="color: #5e5f5f;">Table of Contents</span><span style="color: #5e5f5f;"></span></h3> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#key-findings" rel="noopener">Key Findings</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#overlap" rel="noopener">Kimsuky Infrastructure Overlap</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#new-infrastructure" rel="noopener">New Toolset Infrastructure</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#bttf" rel="noopener">Back to the Future: Suspected Anti-Forensics</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#kgh-spyware-suite" rel="noopener">KGH Spyware Suite</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#infection-vector" rel="noopener">Infection Vector: Weaponized Word Documents</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#payloads-overview" rel="noopener">KGH Spyware Payloads Overview</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#kgh-installer" rel="noopener">Analysis of the KGH Installer (M1.dll)</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#analysis-kgh-backdoor-loader" rel="noopener">Analysis of the KGH Backdoor Loader (msic.exe)</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#backdoor-commands" rel="noopener">KGH Backdoor Commands </a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#infostealer-module" rel="noopener">KGH Infostealer Module (m.dll)</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#cspy-downloader" rel="noopener">CSPY Downloader - A New Downloader in the Arsenal</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#anti-analysis" rel="noopener">Anti-analysis Techniques</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#conclusion" rel="noopener">Conclusion</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#mitre-attack" rel="noopener">MITRE ATTACK Breakdown</a></span></p> <p style="font-size: 24px; line-height: 1;"><span style="color: #5e5f5f;">- <a href="#IOCs" rel="noopener">Indicators of Compromise</a></span></p> <a id="key-findings" data-hs-anchor="true"></a> <h3 style="font-size: 16px; text-align: left; line-height: 1.75;"><span style="color: #5e5f5f;"></span><span style="font-size: 36px;">Key Findings</span></h3> <p style="padding-left: 40px;">• <strong>Discovery of a New Modular Spyware Suite: </strong>“KGH_SPY” is a modular suite of tools that provides the threat actors with reconnaissance, keylogging, information stealing and backdoor capabilities</p> <p style="padding-left: 40px;">• <strong>Discovery of a Stealthy New Malware: </strong>“CSPY Downloader” is a tool designed to evade analysis and download additional payloads</p> <p style="padding-left: 40px;">• <strong>New toolset Infrastructure:</strong> Newly discovered toolset infrastructure registered between 2019-2020 that overlaps with another Kimsuky’s malware called <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark" rel="noopener" target="_blank">BabyShark</a> that was used in the past to<a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" rel="noopener" target="_blank"> target US-based Think tanks</a> </p> <p style="padding-left: 40px;">• <strong>Anti-Forensics: </strong>The creation/compilation timestamps of malware in the report appear to have been tampered with and backdated to 2016 in an attempt to thwart forensic investigation</p> <p style="padding-left: 40px;">• <strong>Behavioral and Code Similarities to Other Kimsuky Malware: </strong>The newly discovered malware shares various behavioral and code similarities to known Kimsuky malware, including: code signing with EGIS revoked certificate; shared strings; file naming convention; string decryption algorithms; PDB paths referencing authors / projects</p> <p style="padding-left: 40px;">• <strong>Undetected by Antivirus: </strong>At the time of writing this report, some of the mentioned payloads  are not detected by any antivirus vendors</p> <a id="overlap" data-hs-anchor="true"></a> <h3>Kimsuky Infrastructure Overlap</h3> <p>Kimsuky is known for their complex infrastructure that uses free-registered domains, compromised domains, as well as private domains registered by the group. Tracking down the infrastructure, the Nocturnus team was able to detect overlaps with <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark" rel="noopener" target="_blank"><span>BabyShark</span></a> malware and other connections to different malware such as <a href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf" rel="noopener" target="_blank"><span>AppleSeed</span></a> backdoor:</p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky2.png?width=835&name=kimsuky2.png" alt="kimsuky2" width="835" style="width: 835px;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky2.png?width=418&name=kimsuky2.png 418w, https://www.cybereason.com/hs-fs/hubfs/kimsuky2.png?width=835&name=kimsuky2.png 835w, https://www.cybereason.com/hs-fs/hubfs/kimsuky2.png?width=1253&name=kimsuky2.png 1253w, https://www.cybereason.com/hs-fs/hubfs/kimsuky2.png?width=1670&name=kimsuky2.png 1670w, https://www.cybereason.com/hs-fs/hubfs/kimsuky2.png?width=2088&name=kimsuky2.png 2088w, https://www.cybereason.com/hs-fs/hubfs/kimsuky2.png?width=2505&name=kimsuky2.png 2505w" sizes="(max-width: 835px) 100vw, 835px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Infrastructure graph for different Kimsuky’s domains and the overlaps between them</span></em></p> <p><span style="background-color: #ffffff;">Throughout the years, Kimsuky has been using an array of malware in their operations. The infrastructure of some of the malware used by Kimsuky can be tracked using pattern analysis of the URI structures used by some of their tools. The following table maps commonly observed URI patterns to their respective malware: </span></p> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 828px; height: 622px;"> <tbody> <tr style="height: 21px;"> <td style="border: 1pt solid #000000; width: 118.5px; height: 21px; background-color: #eeeeee; padding: 4px;"> <p><strong>Malware name</strong></p> </td> <td style="border: 1pt solid #000000; width: 153px; height: 21px; background-color: #eeeeee; padding: 4px;"> <p><strong>Description</strong></p> </td> <td style="border: 1pt solid #000000; width: 555px; height: 21px; background-color: #eeeeee; padding: 4px;"> <p><strong>C2 URL Pattern</strong></p> </td> </tr> <tr style="height: 274px;"> <td style="border: 1pt solid #000000; width: 118.5px; height: 195px; padding: 4px;"> <p><span style="font-size: 13px;"><a href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf" rel="noopener" target="_blank">AppleSeed</a> </span></p> </td> <td style="border: 1pt solid #000000; width: 153px; height: 195px; padding: 4px;"> <p><span style="font-size: 13px;">Backdoor</span></p> </td> <td style="border: 1pt solid #000000; width: 555px; height: 195px; padding: 4px;"> <p><span style="font-size: 13px;">http://hao.aini.pe[.]hu/init/image?i=ping&u=8dc1078f1639d34c&p=wait..</span></p> <p><span style="font-size: 13px;">http://mernberinfo[.]tech/wp-data/?m=dunan&p=de3f6e263724&v=win6.1.0-sp1-x64</span></p> <p><span style="font-size: 13px;">http://eastsea.or[.]kr/?m=a&p1=00000009&p2=Win6.1.7601x64-Spy-v2370390</span></p> </td> </tr> <tr style="height: 127px;"> <td style="border: 1pt solid #000000; width: 118.5px; height: 127px; padding: 4px;"> <p><a href="https://vblocalhost.com/uploads/VB2020-46.pdf" rel="noopener" target="_blank"><span style="font-size: 13px;">FlowerPower</span></a></p> </td> <td style="border: 1pt solid #000000; width: 153px; height: 127px; padding: 4px;"> <p><span style="font-size: 13px;">Powershell based profiling tool</span></p> </td> <td style="border: 1pt solid #000000; width: 555px; height: 127px; padding: 4px;"> <p><span style="font-size: 13px;">http://dongkuiri.atwebpages[.]com/venus02/venus03/venus03.ps1</span></p> <p><span style="font-size: 13px;">http://attachchosun.atwebpages[.]com/leess1982/leess1982.ps1</span></p> </td> </tr> <tr style="height: 183px;"> <td style="border: 1pt solid #000000; width: 118.5px; height: 128px; padding: 4px;"> <p><span style="font-size: 13px;"><a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon" rel="noopener" target="_blank">Gold Dragon</a></span></p> </td> <td style="border: 1pt solid #000000; width: 153px; height: 128px; padding: 4px;"> <p><span style="font-size: 13px;">Backdoor</span></p> </td> <td style="border: 1pt solid #000000; width: 555px; height: 128px; padding: 4px;"> <p><span style="font-size: 13px;">http://portable.epizy[.]com/img/png/download.php?filename=images01</span></p> <p><span style="font-size: 13px;">http://foxonline123.atwebpages[.]com/home/jpg/download.php?filename=flower03</span></p> </td> </tr> <tr style="height: 176px;"> <td style="border: 1pt solid #000000; width: 118.5px; height: 151px; padding: 4px;"> <p><span style="font-size: 13px;"><a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark" rel="noopener" target="_blank">BabyShark</a></span></p> </td> <td style="border: 1pt solid #000000; width: 153px; height: 151px; padding: 4px;"> <p><span style="font-size: 13px;">VBS-based backdoor and reconnaissance tool</span></p> </td> <td style="border: 1pt solid #000000; width: 555px; height: 151px; padding: 4px;"> <p><span style="font-size: 13px;">http://nhpurumy.mireene[.]com/theme/basic/skin/member/basic/ upload/download.php?param=res2.txt</span></p> <p><span style="font-size: 13px;">http://jmable.mireene[.]com/shop/kcp/js/com/expres.php?op=2</span></p> </td> </tr> </tbody> </table> <a id="new-infrastructure" data-hs-anchor="true"></a><span style="font-family: 'Barlow Condensed', sans-serif; font-size: 36px; font-weight: normal; text-transform: uppercase; background-color: transparent;">New toolset Infrastructure</span> <p><span style="background-color: #ffffff;">By tracking the previous infrastructure and correlating the data regarding the URI patterns used by different Kimsuky tools, the Cybereason Nocturnus T</span><span style="background-color: #ffffff;">eam was able to uncover a new infrastructure that was used by the new malware toolset: </span></p> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 819px;"> <tbody> <tr> <td style="border: 1pt solid #000000; width: 172px; background-color: #eeeeee; padding: 4px;"> <p><strong>Malware name</strong></p> </td> <td style="border: 1pt solid #000000; width: 165px; background-color: #eeeeee; padding: 4px;"> <p><strong>Description</strong></p> </td> <td style="border: 1pt solid #000000; width: 482px; background-color: #eeeeee; padding: 4px;"> <p><strong>C2 URL Pattern</strong></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 172px; padding: 4px;"> <p><span style="font-size: 13px;">KGH malware suite</span></p> </td> <td style="border: 1pt solid #000000; width: 165px; padding: 4px;"> <p><span style="font-size: 13px;">Different components in the KGH malware suite</span></p> </td> <td style="border: 1pt solid #000000; width: 482px; padding: 4px;"> <p><span style="font-size: 13px;">http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=sbk&ver=x64</span></p> <p><span style="font-size: 13px;">http://csv.posadadesantiago[.]com/home/up.php?id=[Machine_name]</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 172px; padding: 4px;"> <p><span style="font-size: 13px;">CSPY Downloader</span></p> </td> <td style="border: 1pt solid #000000; width: 165px; padding: 4px;"> <p><span style="font-size: 13px;">Downloader</span></p> </td> <td style="border: 1pt solid #000000; width: 482px; padding: 4px;"> <p><span style="font-size: 13px;">http://wave.posadadesantiago[.]com/home/dwn.php?van=10860</span><br><span style="font-size: 13px;">http://wave.posadadesantiago[.]com/home/dwn.php?van=101</span><br><span style="font-size: 13px;">http://wave.posadadesantiago[.]com/home/dwn.php?van=102</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 172px; padding: 4px;"> <p><span style="font-size: 13px;">KGH_Backdoor</span></p> <p><span style="font-size: 13px;">winload.x</span></p> </td> <td style="border: 1pt solid #000000; width: 165px; padding: 4px;"> <p><span style="font-size: 13px;">Backdoor and Keylogger component, VBS downloader</span></p> </td> <td style="border: 1pt solid #000000; width: 482px; padding: 4px;"> <p><span style="font-size: 13px;">http://csv.posadadesantiago[.]com/home?act=news&id=[Machine_name]</span></p> <p><span style="font-size: 13px;">http://csv.posadadesantiago[.]com/home?id=ֿ[Machine_name]&act=upf&ver=x64</span></p> <p><span style="font-size: 13px;">http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=tre&ver=x64</span></p> <p><span style="font-size: 13px;">http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=wbi&ver=x64</span></p> <p><span style="font-size: 13px;">http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=cmd&ver=x64</span></p> <p><span style="font-size: 13px;">http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=pws&ver=x64</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; width: 172px; padding: 4px;"> <p><span style="font-size: 13px;">PM_Abe_draft_letter _on_UN_NK_20200130.doc</span></p> </td> <td style="border: 1pt solid #000000; width: 165px; padding: 4px;"> <p><span style="font-size: 13px;">Phishing document</span></p> </td> <td style="border: 1pt solid #000000; width: 482px; padding: 4px;"> <p><span style="font-size: 13px;">http://myaccounts.posadadesantiago[.]com/test/Update. php?wShell=201</span></p> </td> </tr> </tbody> </table> <p style="line-height: 1.75; font-size: 8px;"> </p> <p style="line-height: 1.75;">The new domains are all registered to the same IP address that was reported in previous Kimsuky-related attacks involving the Baby Shark malware: </p> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; height: 320px;" width="822"> <tbody> <tr style="height: 64px;"> <td style="border: 1pt solid #000000; height: 64px; width: 144px; background-color: #eeeeee; padding: 4px;"> <p><strong>IP Address</strong></p> </td> <td style="border: 1pt solid #000000; height: 64px; width: 321px; background-color: #eeeeee; padding: 4px;"> <p><strong>Domain Name</strong></p> </td> <td style="border: 1pt solid #000000; height: 64px; width: 355.5px; background-color: #eeeeee; padding: 4px;"> <p><strong>Kimsuky Activity</strong></p> </td> </tr> <tr style="height: 64px;"> <td style="border: 1pt solid #000000; height: 256px; width: 144px; padding: 4px;" rowspan="4"><br><br> <p style="text-align: center;"><span style="font-size: 13px;">173.205.125.124</span></p> </td> <td style="border: 1pt solid #000000; height: 64px; width: 321px; padding: 4px;"> <p><span style="font-size: 13px;">csv.posadadesantiago[.]com</span></p> </td> <td style="border: 1pt solid #000000; height: 64px; width: 355.5px; padding: 4px;"> <p><span style="font-size: 13px;">KGH Backdoor</span></p> </td> </tr> <tr style="height: 64px;"> <td style="border: 1pt solid #000000; height: 64px; width: 321px; padding: 4px;"> <p><span style="font-size: 13px;">wave.posadadesantiago[.]com</span></p> </td> <td style="border: 1pt solid #000000; height: 64px; width: 355.5px; padding: 4px;"> <p><span style="font-size: 13px;">CSPY Downloader</span></p> </td> </tr> <tr style="height: 64px;"> <td style="border: 1pt solid #000000; height: 64px; width: 321px; padding: 4px;"> <p><span style="font-size: 13px;">myaccounts.posadadesantiago[.]com</span></p> </td> <td style="border: 1pt solid #000000; height: 64px; width: 355.5px; padding: 4px;"> <p><span style="font-size: 13px;">Malicious Phishing Document</span></p> </td> </tr> <tr style="height: 64px;"> <td style="border: 1pt solid #000000; height: 64px; width: 321px; padding: 4px;"> <p><span style="font-size: 13px;">www.eventosatitlan[.]com</span></p> </td> <td style="border: 1pt solid #000000; height: 64px; width: 355.5px; padding: 4px;"> <p><span style="font-size: 13px;">Baby Shark / <a href="https://blog.prevailion.com/2019/09/autumn-aperture-report.html" rel="noopener" target="_blank">Autumn Aperture Campaign</a></span></p> </td> </tr> </tbody> </table> <a id="phishing-themes" data-hs-anchor="true"></a> <h3 style="font-weight: normal; line-height: 1.75;">Phishing Themes related to the New Infrastructure</h3> <p><span style="background-color: #ffffff;">When analyzing the weaponized phishing documents that were connected to the new tools infrastructure, one can notice the topic of human rights in the North Korea repeated in at least two documents: </span></p> <ul style="font-size: 20px;"> <li><strong>PM_Abe_draft_letter_on_UN_NK_20200130.doc - </strong>This document contains what appears to be a letter in English and Japanese that was addressed to the (now former) Prime minister of Japan, Shinzo Abe, regarding the subject of human rights in North Korea. The document’s malicious macro code communicates with the domain<em> myaccounts.posadadesantiago[.]com </em><br><br></li> <li><strong>Interview with a north korean defector.doc - </strong>This document contains an interview with a North Korean defector who escaped to Japan and discusses problems with life in North Korea. This document drops a malware that communicates with the domain <em>wave.posadadesantiago[.]com</em></li> </ul> <br> <p><span style="background-color: #ffffff;">The topic of human rights violations in North Korea <a href="https://www.dailynk.com/english/north-korean-hackers-mount-phishing-attack-nkhr-groups/" style="background-color: #ffffff;" rel="noopener" target="_blank">previously appeared</a> in multiple phishing documents attributed to Kimsuky. </span></p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky3.png?width=842&name=kimsuky3.png" alt="kimsuky3" width="842" style="width: 842px;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky3.png?width=421&name=kimsuky3.png 421w, https://www.cybereason.com/hs-fs/hubfs/kimsuky3.png?width=842&name=kimsuky3.png 842w, https://www.cybereason.com/hs-fs/hubfs/kimsuky3.png?width=1263&name=kimsuky3.png 1263w, https://www.cybereason.com/hs-fs/hubfs/kimsuky3.png?width=1684&name=kimsuky3.png 1684w, https://www.cybereason.com/hs-fs/hubfs/kimsuky3.png?width=2105&name=kimsuky3.png 2105w, https://www.cybereason.com/hs-fs/hubfs/kimsuky3.png?width=2526&name=kimsuky3.png 2526w" sizes="(max-width: 842px) 100vw, 842px"></p> <p style="text-align: center;"><em><span style="color: #5e5f5f;">Phishing Documents containing DPRK-related human rights issues</span></em></p> <a id="bttf" data-hs-anchor="true"></a> <h3 style="text-align: left; font-size: 36px;"><span style="color: #434343;">Back to the Future: Suspected Anti-Forensics </span></h3> <p>Backdating, or <a href="https://attack.mitre.org/techniques/T1070/006/" rel="noopener" target="_blank"><span>timestomping</span></a>, is a technique used by many threat actors which involves the manipulation of the creation timestamps or compilation date of a file in order to thwart analysis attempts (anti-forensics). It is suspected that the creation date of most of the files mentioned in this report were tampered with by the threat actors and backdated to 2016:</p> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 818px; height: 944px;" height="999"> <tbody> <tr style="height: 115px;"> <td style="border: 1pt solid #000000; width: 166.5px; background-color: #eeeeee; height: 115px; padding: 4px;"> <p><strong>Name</strong></p> </td> <td style="border: 1pt solid #000000; width: 394.5px; background-color: #eeeeee; height: 115px; padding: 4px;"> <p><strong>SHA-256</strong></p> </td> <td style="border: 1pt solid #000000; width: 135px; background-color: #eeeeee; height: 115px; padding: 4px;"> <p><strong>Creation Date (likely fake)</strong></p> </td> <td style="border: 1pt solid #000000; width: 120px; background-color: #eeeeee; height: 115px; padding: 4px;"> <p><strong>VT Upload Date</strong></p> </td> </tr> <tr style="height: 104px;"> <td style="border: 1pt solid #000000; width: 166.5px; height: 104px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>m1.dll </strong></span></p> <p><span style="font-size: 13px;"><strong>cur_install_x64.dll</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 394.5px; height: 104px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">af13b16416760782ec81d587736cb4c9b2e7099afc10cb764eeb4c 922ee8802f</span></p> </td> <td style="border: 1pt solid #000000; width: 135px; height: 104px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2016-10-02 07:35:25</span></p> </td> <td style="border: 1pt solid #000000; width: 120px; height: 104px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2020-10-07 13:03:45</span></p> </td> </tr> <tr style="height: 135px;"> <td style="border: 1pt solid #000000; width: 166.5px; height: 135px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>msic.exe</strong></span></p> <br><br></td> <td style="border: 1pt solid #000000; width: 394.5px; height: 135px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">E4d28fd7e0fc63429fc199c1b683340f725f0bf9834345174ff0b6a 3c0b1f60e</span></p> </td> <td style="border: 1pt solid #000000; width: 135px; height: 135px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2016-09-28 02:08:00</span></p> </td> <td style="border: 1pt solid #000000; width: 120px; height: 135px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2020-10-07 13:03:530</span></p> </td> </tr> <tr style="height: 118px;"> <td style="border: 1pt solid #000000; width: 166.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>msfltr32.dll</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 394.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">66fc8b03bc0ab95928673e0ae7f06f34f17537caf159e178a452c2 c56ba6dda7</span></p> </td> <td style="border: 1pt solid #000000; width: 135px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d; background-color: #ffffff;">2016-10-02 07:23:16</span></p> </td> <td style="border: 1pt solid #000000; width: 120px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d; background-color: #ffffff;">2020-10-07 13:03:56</span></p> </td> </tr> <tr style="height: 118px;"> <td style="border: 1pt solid #000000; width: 166.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>m.dll</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 394.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">f989d13f7d0801b32735fee018e816f3a2783a47cff0b13d70ce2f  1cbc754fb9</span></p> </td> <td style="border: 1pt solid #000000; width: 135px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2016-09-28 08:41:36</span></p> </td> <td style="border: 1pt solid #000000; width: 120px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2020-10-07 13:03:56</span></p> </td> </tr> <tr style="height: 118px;"> <td style="border: 1pt solid #000000; width: 166.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>0807.dotm</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 394.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">97d4898c4e70335f0adbbace34593236cb84e849592e5971a797 554d3605d323</span></p> </td> <td style="border: 1pt solid #000000; width: 135px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2016-08-07 11:31:00</span></p> </td> <td style="border: 1pt solid #000000; width: 120px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2020-08-19 09:46:33</span></p> </td> </tr> <tr style="height: 118px;"> <td style="border: 1pt solid #000000; width: 166.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>0928.dotm</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 394.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">d88c5695ccd83dce6729b84c8c43e8a804938a7ab7cfeccaa0699 d6b1f81c95c</span></p> </td> <td style="border: 1pt solid #000000; width: 135px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2016-09-28 02:08:00</span></p> </td> <td style="border: 1pt solid #000000; width: 120px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2020-10-06 07:53:38</span></p> </td> </tr> <tr style="height: 118px;"> <td style="border: 1pt solid #000000; width: 166.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>winload.exe</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 394.5px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">7158099406d99db82b7dc9f6418c1189ee472ce3c25a3612a5ec 5672ee282dc0</span></p> </td> <td style="border: 1pt solid #000000; width: 135px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2016-07-30 01:20:23</span></p> </td> <td style="border: 1pt solid #000000; width: 120px; height: 118px; padding: 4px;"> <p><span style="font-size: 10pt; color: #4d4d4d;">2020-06-12 01:48:02</span></p> </td> </tr> </tbody> </table> <p> </p> <p>The assumption is backed by the registration dates of the domains that were hardcoded in all the above mentioned malware samples. According to the domain registration information in <a href="https://community.riskiq.com/search" rel="noopener" target="_blank"><span>RiskIQ PassiveTotal</span></a>, these domains were first registered between January 2019 to August 2020, years after the seemingly manipulated creation dates: </p> <table style="border: none; border-color: #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto;"> <tbody> <tr> <td style="border: 1pt solid #000000; background-color: #eeeeee; padding: 4px;"> <p><strong>Domain</strong></p> </td> <td style="border: 1pt solid #000000; background-color: #eeeeee; padding: 4px;"> <p><strong>IP Resolution</strong></p> </td> <td style="border: 1pt solid #000000; background-color: #eeeeee; padding: 4px;"> <p><strong>First Observed</strong></p> </td> <td style="border: 1pt solid #000000; background-color: #eeeeee; padding: 4px;"> <p><strong>Earliest Observed Certificate Issue Date</strong></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px;">csv.posadadesantiago[.]com</span></p> </td> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px; color: #000000;">173.205.125.124</span></p> </td> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px; color: #111111;">2020-08-09</span></p> </td> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px;"><strong>SHA-1: </strong>87b35e1998bf00a8b7e32ed391c217deaec408ad </span></p> <p><span style="font-size: 13px;"><strong>Date: </strong>2020-08-19</span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px;">wave.posadadesantiago[.]com</span></p> </td> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px; color: #000000;">173.205.125.124</span></p> </td> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px; color: #111111;">2020-02-27</span></p> </td> <td style="border: 1pt solid #000000; padding: 4px;"> <p style="line-height: 1.15;"><span style="font-size: 13px;"><strong>SHA-1: </strong>F846981567760d40b5a90c8923ca8c2e7c881c5f </span></p> <p style="line-height: 1.15;"><span style="font-size: 13px;"><strong>Date: </strong><span style="color: #111111;">2020-03-24</span></span></p> </td> </tr> <tr> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px;">myaccounts.posadadesantiago[.]com</span></p> </td> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px; color: #000000;">173.205.125.124</span></p> </td> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px; color: #111111;">2019-01-25</span></p> </td> <td style="border: 1pt solid #000000; padding: 4px;"> <p><span style="font-size: 13px;"><strong>SHA-1:</strong> 90d00ecb1e903959a3853e8ee1c8af89fb82a179 </span></p> <p><span style="font-size: 13px;"><strong>Date: </strong><span style="color: #111111;">2019-01-25</span></span></p> </td> </tr> </tbody> </table> <a id="kgh-spyware-suite" data-hs-anchor="true"></a> <h3 style="font-size: 36px;"><span style="font-family: 'Barlow Condensed', sans-serif; letter-spacing: 0px; background-color: transparent;">KGH Spyware Suite</span></h3> <p style="text-align: center;"><br><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky4.png?width=640&name=kimsuky4.png" alt="kimsuky4" width="640" style="width: 640px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky4.png?width=320&name=kimsuky4.png 320w, https://www.cybereason.com/hs-fs/hubfs/kimsuky4.png?width=640&name=kimsuky4.png 640w, https://www.cybereason.com/hs-fs/hubfs/kimsuky4.png?width=960&name=kimsuky4.png 960w, https://www.cybereason.com/hs-fs/hubfs/kimsuky4.png?width=1280&name=kimsuky4.png 1280w, https://www.cybereason.com/hs-fs/hubfs/kimsuky4.png?width=1600&name=kimsuky4.png 1600w, https://www.cybereason.com/hs-fs/hubfs/kimsuky4.png?width=1920&name=kimsuky4.png 1920w" sizes="(max-width: 640px) 100vw, 640px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">The connection between different components of the KGH malware suite</span></em></p> <p>During our analysis, Cybereason Nocturnus discovered a new malware suite dubbed “KGH” which contains several modules used as spyware. The name “KGH” is derived from the PDB path and internal names found in the malware samples: </p> <p style="text-align: center;"><span style="font-size: 10pt; color: #1155cc;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky5.png?width=823&name=kimsuky5.png" alt="kimsuky5" width="823" style="width: 823px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky5.png?width=412&name=kimsuky5.png 412w, https://www.cybereason.com/hs-fs/hubfs/kimsuky5.png?width=823&name=kimsuky5.png 823w, https://www.cybereason.com/hs-fs/hubfs/kimsuky5.png?width=1235&name=kimsuky5.png 1235w, https://www.cybereason.com/hs-fs/hubfs/kimsuky5.png?width=1646&name=kimsuky5.png 1646w, https://www.cybereason.com/hs-fs/hubfs/kimsuky5.png?width=2058&name=kimsuky5.png 2058w, https://www.cybereason.com/hs-fs/hubfs/kimsuky5.png?width=2469&name=kimsuky5.png 2469w" sizes="(max-width: 823px) 100vw, 823px"></span></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">“KGH” in an internal name of the backdoor</span></em></p> <p><span style="font-size: 10pt; color: #1155cc;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=844&name=kimsuky6.png" alt="kimsuky6" width="844" style="width: 844px;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=422&name=kimsuky6.png 422w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=844&name=kimsuky6.png 844w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=1266&name=kimsuky6.png 1266w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=1688&name=kimsuky6.png 1688w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=2110&name=kimsuky6.png 2110w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=2532&name=kimsuky6.png 2532w" sizes="(max-width: 844px) 100vw, 844px"></span></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">“m.dll” pdb path</span></em></p> <p>A possible link to North Korean attacks referencing the name “KGH” was <a href="https://www.slideshare.net/JackyMinseokCha/targeted-attacks-on-major-industry-sectors-in-south-korea-20171201-cha-minseokavar-2017-beijingfull-version" rel="noopener" target="_blank"><span>mentioned in 2017 in a research by Ahnlab</span></a><span style="font-size: 10pt; color: #1155cc;">, </span>however it is unclear whether it is related to the same malware authors. </p> <a id="infection-vector" data-hs-anchor="true"></a> <h3><span style="font-size: 36px;">Infection Vector: Weaponized Word Documents</span><span style="font-size: 16pt;"></span></h3> <p><span style="font-size: 16pt;"></span>The infection vector seems to originate from a Word documents containing malicious macros: </p> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 847px; height: 441.25px;"> <tbody> <tr style="height: 141.312px;"> <td style="border: 1pt solid #000000; width: 112px; background-color: #eeeeee; padding: 4px; height: 141px;"> <p><strong>Name</strong></p> </td> <td style="border: 1pt solid #000000; width: 273px; background-color: #eeeeee; padding: 4px; height: 141px;"> <p><strong>SHA-256</strong></p> </td> <td style="border: 1pt solid #000000; width: 206px; background-color: #eeeeee; padding: 4px; height: 141px;"> <p><strong>Domain</strong></p> </td> <td style="border: 1pt solid #000000; width: 131px; background-color: #eeeeee; padding: 4px; height: 141px;"> <p><strong>Creation Date (likely fake)</strong></p> </td> <td style="border: 1pt solid #000000; width: 125px; background-color: #eeeeee; padding: 4px; height: 141px;"> <p><strong>VT Upload Date</strong></p> </td> </tr> <tr style="height: 149.297px;"> <td style="border: 1pt solid #000000; width: 112px; padding: 4px; height: 149px;"> <p><span style="font-size: 13px;">0807.dotm</span></p> </td> <td style="border: 1pt solid #000000; width: 273px; padding: 4px; height: 149px;"> <p><span style="font-size: 13px; color: #4d4d4d;">97d4898c4e70335f0adbbace34593236cb 84e849592e5971a797554d3605d323</span></p> </td> <td style="border: 1pt solid #000000; width: 206px; padding: 4px; height: 149px;"> <p><span style="font-size: 13px;">csv.posadadesantiago.com</span></p> </td> <td style="border: 1pt solid #000000; width: 131px; padding: 4px; height: 149px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2016-08-07 11:31:00</span></p> </td> <td style="border: 1pt solid #000000; width: 125px; padding: 4px; height: 149px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2020-08-19 09:46:33</span></p> </td> </tr> <tr style="height: 149.328px;"> <td style="border: 1pt solid #000000; width: 112px; padding: 4px; height: 149px;"> <p><span style="font-size: 13px;">0928.dotm</span></p> </td> <td style="border: 1pt solid #000000; width: 273px; padding: 4px; height: 149px;"> <p><span style="font-size: 13px; color: #4d4d4d;">d88c5695ccd83dce6729b84c8c43e8a804 938a7ab7cfeccaa0699d6b1f81c95c</span></p> </td> <td style="border: 1pt solid #000000; width: 206px; padding: 4px; height: 149px;"> <p><span style="font-size: 13px;">csv.posadadesantiago.com</span></p> </td> <td style="border: 1pt solid #000000; width: 131px; padding: 4px; height: 149px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2016-09-28 02:08:00</span></p> </td> <td style="border: 1pt solid #000000; width: 125px; padding: 4px; height: 149px;"> <p style="font-size: 13px;">2020-10-06 07:53:38</p> </td> </tr> </tbody> </table> <p><br>We observed two Word documents that communicate with the domains above which contain code similarities to each other and to the previously mentioned <em>“Interview with a north korean defector.doc”</em>. The macros of the malicious documents do the following: </p> <p><strong>0807.dotm:</strong></p> <ul> <li><span style="font-size: 18px;">1. Drops a script named <em>“winload.x”</em> and a wscript.exe binary renamed as <em>“cs.exe”</em> to<em> “%appdata%\Micorosoft\Templates”</em>.</span></li> </ul> <br> <ul> <li><span style="font-size: 18px;">2. Sets the reg key “<em>HKCU\Environment\UserInitMprLogonScript</em>” to run a cmd command that copies <em>“winload.x” as “a.vbs”</em>, executes it and deletes <em>“a.vbs”</em>.  The mentioned registry key is used to execute Logon Scripts, and will execute what is written to it at startup. The document is using this key to achieve persistence for the file <em>“winload.x”:</em></span><br><br></li> </ul> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky7.png?width=831&name=kimsuky7.png" alt="kimsuky7" width="831" style="width: 831px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky7.png?width=416&name=kimsuky7.png 416w, https://www.cybereason.com/hs-fs/hubfs/kimsuky7.png?width=831&name=kimsuky7.png 831w, https://www.cybereason.com/hs-fs/hubfs/kimsuky7.png?width=1247&name=kimsuky7.png 1247w, https://www.cybereason.com/hs-fs/hubfs/kimsuky7.png?width=1662&name=kimsuky7.png 1662w, https://www.cybereason.com/hs-fs/hubfs/kimsuky7.png?width=2078&name=kimsuky7.png 2078w, https://www.cybereason.com/hs-fs/hubfs/kimsuky7.png?width=2493&name=kimsuky7.png 2493w" sizes="(max-width: 831px) 100vw, 831px"></p> <p style="text-align: center;"><em><span style="color: #5e5f5f;">Persistence using UserInitMprLogonScript Registry keys</span></em></p> <ul> <li><span style="font-size: 18px;">3. Collects system, network and drive information and installed applications, saves it to a file named “info” and sends it to the C2 using <em>iexplorer.exe</em></span><br><br></li> <li><span style="font-size: 18px;">4. When <em>“winload.x” (“a.vbs”)</em> is executed, it tries to download and execute code from <em>“csv.posadadesantiago[.]com/home?act=news&id=[Machine_name]</em>”:</span><br><br></li> </ul> <p style="text-align: center;"><strong><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky8.png?width=847&name=kimsuky8.png" alt="kimsuky8" width="847" style="width: 847px;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky8.png?width=424&name=kimsuky8.png 424w, https://www.cybereason.com/hs-fs/hubfs/kimsuky8.png?width=847&name=kimsuky8.png 847w, https://www.cybereason.com/hs-fs/hubfs/kimsuky8.png?width=1271&name=kimsuky8.png 1271w, https://www.cybereason.com/hs-fs/hubfs/kimsuky8.png?width=1694&name=kimsuky8.png 1694w, https://www.cybereason.com/hs-fs/hubfs/kimsuky8.png?width=2118&name=kimsuky8.png 2118w, https://www.cybereason.com/hs-fs/hubfs/kimsuky8.png?width=2541&name=kimsuky8.png 2541w" sizes="(max-width: 847px) 100vw, 847px"></strong></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #5e5f5f;">Winload.x (a.vbs) contents deobfuscated</span></em></span></p> <p><strong>0928.dotm:</strong></p> <ul> <li><span style="font-size: 18px;">1. Collects information about the infected system, network, drives, and installed applications.</span><br><br></li> <li><span style="font-size: 18px;">2. Saves the collected information to a file named “info” in <em>“%appdata%\Micorosoft\Templates”</em> and sends it to the C2.</span><br><br></li> <li><span style="font-size: 18px;">3. Downloads m1.dll (KGH Installer) from <em>“csv.posadadesantiago[.]com/home?id=[Machine_name]&act=sbk&ver=x64”</em></span></li> <li><span style="font-size: 18px;">4. Downloads m.dll (KGH-Browser Stealer) from <em>“csv.posadadesantiago[.]com/home?id=[Machine_name]&act=wbi&ver=x64”</em></span><br><br></li> <li><span style="font-size: 18px;">5. Executes the KGH installer:</span><br><br></li> </ul> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky9.png?width=853&name=kimsuky9.png" alt="kimsuky9" width="853" style="width: 853px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky9.png?width=427&name=kimsuky9.png 427w, https://www.cybereason.com/hs-fs/hubfs/kimsuky9.png?width=853&name=kimsuky9.png 853w, https://www.cybereason.com/hs-fs/hubfs/kimsuky9.png?width=1280&name=kimsuky9.png 1280w, https://www.cybereason.com/hs-fs/hubfs/kimsuky9.png?width=1706&name=kimsuky9.png 1706w, https://www.cybereason.com/hs-fs/hubfs/kimsuky9.png?width=2133&name=kimsuky9.png 2133w, https://www.cybereason.com/hs-fs/hubfs/kimsuky9.png?width=2559&name=kimsuky9.png 2559w" sizes="(max-width: 853px) 100vw, 853px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">URLs creation from 0928.dotm macro code</span></em></p> <p>Both documents use similar function names and variable names:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky10.png?width=835&name=kimsuky10.png" alt="kimsuky10" width="835" style="width: 835px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky10.png?width=418&name=kimsuky10.png 418w, https://www.cybereason.com/hs-fs/hubfs/kimsuky10.png?width=835&name=kimsuky10.png 835w, https://www.cybereason.com/hs-fs/hubfs/kimsuky10.png?width=1253&name=kimsuky10.png 1253w, https://www.cybereason.com/hs-fs/hubfs/kimsuky10.png?width=1670&name=kimsuky10.png 1670w, https://www.cybereason.com/hs-fs/hubfs/kimsuky10.png?width=2088&name=kimsuky10.png 2088w, https://www.cybereason.com/hs-fs/hubfs/kimsuky10.png?width=2505&name=kimsuky10.png 2505w" sizes="(max-width: 835px) 100vw, 835px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">0928.dotm VB code (left) & 0807.dotm VB code (right)</span></em></p> <p>Once the macro collected all the information, it sends the data to the C2 server over an HTTP POST request: </p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky11.png?width=840&name=kimsuky11.png" alt="kimsuky11" width="840" style="width: 840px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky11.png?width=420&name=kimsuky11.png 420w, https://www.cybereason.com/hs-fs/hubfs/kimsuky11.png?width=840&name=kimsuky11.png 840w, https://www.cybereason.com/hs-fs/hubfs/kimsuky11.png?width=1260&name=kimsuky11.png 1260w, https://www.cybereason.com/hs-fs/hubfs/kimsuky11.png?width=1680&name=kimsuky11.png 1680w, https://www.cybereason.com/hs-fs/hubfs/kimsuky11.png?width=2100&name=kimsuky11.png 2100w, https://www.cybereason.com/hs-fs/hubfs/kimsuky11.png?width=2520&name=kimsuky11.png 2520w" sizes="(max-width: 840px) 100vw, 840px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Exfiltration of the collected system information stored in “info”</span></em></p> <a id="payloads-overview" data-hs-anchor="true"></a> <h3 style="font-size: 36px;">KGH Spyware Payloads Overview</h3> <p>The following payloads were observed to be downloaded and dropped by the previously mentioned malicious documents:</p> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 744px; height: 1065.25px;"> <tbody> <tr style="height: 141.312px;"> <td style="border: 1pt solid #000000; width: 115px; background-color: #eeeeee; height: 141px; padding: 4px;"> <p><strong>File Name(s)</strong></p> </td> <td style="border: 1pt solid #000000; width: 333px; background-color: #eeeeee; height: 141px; padding: 4px;"> <p><strong>Purpose</strong></p> </td> <td style="border: 1pt solid #000000; width: 119px; background-color: #eeeeee; height: 141px; padding: 4px;"> <p><strong>Creation Date (likely fake)</strong></p> </td> <td style="border: 1pt solid #000000; width: 176px; background-color: #eeeeee; height: 141px; padding: 4px;"> <p><strong>VT Upload Date</strong></p> </td> </tr> <tr style="height: 397px;"> <td style="border: 1pt solid #000000; width: 115px; height: 397px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>m1.dll </strong></span></p> </td> <td style="border: 1pt solid #000000; width: 333px; height: 397px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>Drops KGH backdoor and creates persistence to msic.exe and drops:</strong> </span></p> <p><span style="font-size: 13px;"> - C:\Users\user\AppData\Local\AreSoft\<strong>msic.exe</strong></span></p> <p><span style="font-size: 13px;"> - C:\Users\user\AppData\Local\AreSoft\<strong>msfltr32.dll</strong></span></p> <p> </p> </td> <td style="border: 1pt solid #000000; width: 119px; height: 397px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2016-10-02 07:35:25</span></p> </td> <td style="border: 1pt solid #000000; width: 176px; height: 397px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2020-10-07 13:03:45</span></p> </td> </tr> <tr style="height: 139.312px;"> <td style="border: 1pt solid #000000; width: 115px; height: 139px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>msic.exe</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 333px; height: 139px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>Loads and executes msfltr32.dll</strong></span></p> <p><span style="font-size: 13px;">C:\Users\user\AppData\Local\AreSoft\<strong>msfltr32.dll</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 119px; height: 139px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2016-09-28 02:08:00</span></p> </td> <td style="border: 1pt solid #000000; width: 176px; height: 139px; padding: 4px;"> <p style="font-size: 13px;">2020-10-07 13:03:53</p> </td> </tr> <tr style="height: 229.312px;"> <td style="border: 1pt solid #000000; width: 115px; height: 229px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>msfltr32.dll</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 333px; height: 229px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>KGH backdoor capabilities: </strong></span></p> <ul> <li><span style="font-size: 13px;"> - Persistence</span></li> <li><span style="font-size: 13px;"> - Keylogger</span></li> <li><span style="font-size: 13px;"> - Downloads additional payloads</span></li> <li><span style="font-size: 13px;">- Executes arbitrary commands (cmd.exe / powershell)</span></li> </ul> </td> <td style="border: 1pt solid #000000; width: 119px; height: 229px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2016-10-02 07:23:16</span></p> </td> <td style="border: 1pt solid #000000; width: 176px; height: 229px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2020-10-07 13:03:56</span></p> </td> </tr> <tr style="height: 157px;"> <td style="border: 1pt solid #000000; width: 115px; height: 157px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>m.dll</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 333px; height: 157px; padding: 4px;"> <p><span style="font-size: 13px;"><strong>KGH-Browser Stealer </strong></span></p> <p><span style="font-size: 13px;">Steals stored data from Chrome, Edge, Firefox, Thunderbird, Opera, Winscp. </span></p> </td> <td style="border: 1pt solid #000000; width: 119px; height: 157px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2016-09-28 08:41:36</span></p> </td> <td style="border: 1pt solid #000000; width: 176px; height: 157px; padding: 4px;"> <p><span style="font-size: 13px; color: #4d4d4d;">2020-10-07 13:03:56</span></p> </td> </tr> </tbody> </table> <p> </p> <p><span style="color: #5e5f5f;">The following files were downloaded / dropped by the macro as caught by the Cybereason platform: </span></p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky12.png?width=844&name=kimsuky12.png" alt="kimsuky12" width="844" style="width: 844px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky12.png?width=422&name=kimsuky12.png 422w, https://www.cybereason.com/hs-fs/hubfs/kimsuky12.png?width=844&name=kimsuky12.png 844w, https://www.cybereason.com/hs-fs/hubfs/kimsuky12.png?width=1266&name=kimsuky12.png 1266w, https://www.cybereason.com/hs-fs/hubfs/kimsuky12.png?width=1688&name=kimsuky12.png 1688w, https://www.cybereason.com/hs-fs/hubfs/kimsuky12.png?width=2110&name=kimsuky12.png 2110w, https://www.cybereason.com/hs-fs/hubfs/kimsuky12.png?width=2532&name=kimsuky12.png 2532w" sizes="(max-width: 844px) 100vw, 844px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Cybereason defense platform presenting the creation of the files</span></em></p> <a id="kgh-installer" data-hs-anchor="true"></a> <h3><span style="font-size: 36px;">Analysis of the KGH Installer (M1.dll)</span><span style="font-size: 16pt;"></span><span style="font-size: 16pt;"></span></h3> <p>The KGH installer was uploaded to VirusTotal in October 2020 and at the time of writing this report is not detected by any Antivirus engines: </p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky13.png?width=830&name=kimsuky13.png" alt="kimsuky13" width="830" style="width: 830px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky13.png?width=415&name=kimsuky13.png 415w, https://www.cybereason.com/hs-fs/hubfs/kimsuky13.png?width=830&name=kimsuky13.png 830w, https://www.cybereason.com/hs-fs/hubfs/kimsuky13.png?width=1245&name=kimsuky13.png 1245w, https://www.cybereason.com/hs-fs/hubfs/kimsuky13.png?width=1660&name=kimsuky13.png 1660w, https://www.cybereason.com/hs-fs/hubfs/kimsuky13.png?width=2075&name=kimsuky13.png 2075w, https://www.cybereason.com/hs-fs/hubfs/kimsuky13.png?width=2490&name=kimsuky13.png 2490w" sizes="(max-width: 830px) 100vw, 830px"></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #5e5f5f;"> KGH installer detections in VT</span></em></span></p> <p>The file is a DLL that executes the installation / dropper code located in the “outinfo” export:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky14.png?width=503&name=kimsuky14.png" alt="kimsuky14" width="503" style="width: 503px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky14.png?width=252&name=kimsuky14.png 252w, https://www.cybereason.com/hs-fs/hubfs/kimsuky14.png?width=503&name=kimsuky14.png 503w, https://www.cybereason.com/hs-fs/hubfs/kimsuky14.png?width=755&name=kimsuky14.png 755w, https://www.cybereason.com/hs-fs/hubfs/kimsuky14.png?width=1006&name=kimsuky14.png 1006w, https://www.cybereason.com/hs-fs/hubfs/kimsuky14.png?width=1258&name=kimsuky14.png 1258w, https://www.cybereason.com/hs-fs/hubfs/kimsuky14.png?width=1509&name=kimsuky14.png 1509w" sizes="(max-width: 503px) 100vw, 503px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;"> KGH installer exports</span></em></p> <p>The DLL contains two encrypted blobs in its resource section. It can be noticed that there are traces of Korean language in those resources: </p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky15.png?width=823&name=kimsuky15.png" alt="kimsuky15" width="823" style="width: 823px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky15.png?width=412&name=kimsuky15.png 412w, https://www.cybereason.com/hs-fs/hubfs/kimsuky15.png?width=823&name=kimsuky15.png 823w, https://www.cybereason.com/hs-fs/hubfs/kimsuky15.png?width=1235&name=kimsuky15.png 1235w, https://www.cybereason.com/hs-fs/hubfs/kimsuky15.png?width=1646&name=kimsuky15.png 1646w, https://www.cybereason.com/hs-fs/hubfs/kimsuky15.png?width=2058&name=kimsuky15.png 2058w, https://www.cybereason.com/hs-fs/hubfs/kimsuky15.png?width=2469&name=kimsuky15.png 2469w" sizes="(max-width: 823px) 100vw, 823px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;"> KGH installer resources</span></em></p> <p>These encrypted blobs are dropped to <em>C:\Users\user\AppData\Local\Temp\3f34a.tmp</em> one after the other. Once they are dropped, the dropper also decrypts them and writes them to a newly created folder and creates persistence:</p> <ul style="font-size: 18px;"> <li><em>C:\Users\user\AppData\Local\AreSoft\msic.exe</em></li> <li><em>C:\Users\user\AppData\Local\AreSoft\msfltr32.dll</em><br><br></li> </ul> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky16.png?width=827&name=kimsuky16.png" alt="kimsuky16" width="827" style="width: 827px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky16.png?width=414&name=kimsuky16.png 414w, https://www.cybereason.com/hs-fs/hubfs/kimsuky16.png?width=827&name=kimsuky16.png 827w, https://www.cybereason.com/hs-fs/hubfs/kimsuky16.png?width=1241&name=kimsuky16.png 1241w, https://www.cybereason.com/hs-fs/hubfs/kimsuky16.png?width=1654&name=kimsuky16.png 1654w, https://www.cybereason.com/hs-fs/hubfs/kimsuky16.png?width=2068&name=kimsuky16.png 2068w, https://www.cybereason.com/hs-fs/hubfs/kimsuky16.png?width=2481&name=kimsuky16.png 2481w" sizes="(max-width: 827px) 100vw, 827px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Dropped files location on an infected machine</span></em></p> <p>The backdoor achieves persistence by creating the following registry autoruns keys: </p> <ul style="font-size: 18px;"> <li><strong><em>Key: </em></strong><em>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load</em></li> <li><strong><em>Value: </em></strong><em>C:\Users\user\AppData\Local\AreSoft\msic.exe</em><br><br></li> </ul> <a id="analysis-kgh-backdoor-loader" data-hs-anchor="true"></a> <h3 style="font-size: 36px;">Analysis of the KGH Backdoor Loader (msic.exe)</h3> <p>The KGH loader (msic.exe) is responsible for loading and executing the KGH backdoor DLL (msfltr32.dll) in memory: </p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky17.png?width=830&name=kimsuky17.png" alt="kimsuky17" width="830" style="width: 830px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky17.png?width=415&name=kimsuky17.png 415w, https://www.cybereason.com/hs-fs/hubfs/kimsuky17.png?width=830&name=kimsuky17.png 830w, https://www.cybereason.com/hs-fs/hubfs/kimsuky17.png?width=1245&name=kimsuky17.png 1245w, https://www.cybereason.com/hs-fs/hubfs/kimsuky17.png?width=1660&name=kimsuky17.png 1660w, https://www.cybereason.com/hs-fs/hubfs/kimsuky17.png?width=2075&name=kimsuky17.png 2075w, https://www.cybereason.com/hs-fs/hubfs/kimsuky17.png?width=2490&name=kimsuky17.png 2490w" sizes="(max-width: 830px) 100vw, 830px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Msic.exe loads msfltr32.dll to memory</span></em></p> <p>The file itself is unsigned and masquerades as a legitimate Microsoft Windows tool:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky18.png?width=569&name=kimsuky18.png" alt="kimsuky18" width="569" style="width: 569px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky18.png?width=285&name=kimsuky18.png 285w, https://www.cybereason.com/hs-fs/hubfs/kimsuky18.png?width=569&name=kimsuky18.png 569w, https://www.cybereason.com/hs-fs/hubfs/kimsuky18.png?width=854&name=kimsuky18.png 854w, https://www.cybereason.com/hs-fs/hubfs/kimsuky18.png?width=1138&name=kimsuky18.png 1138w, https://www.cybereason.com/hs-fs/hubfs/kimsuky18.png?width=1423&name=kimsuky18.png 1423w, https://www.cybereason.com/hs-fs/hubfs/kimsuky18.png?width=1707&name=kimsuky18.png 1707w" sizes="(max-width: 569px) 100vw, 569px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Msfltr32.dll Signature Info</span></em></p> <h3 style="font-size: 36px;">KGH Backdoor - Main Module (msfltr32.dll)</h3> <p>The msfltr32.dll module is the core module of the KGH backdoor. The backdoor contains the following functionality: </p> <ul style="font-size: 18px;"> <li><span style="font-size: 18px;"><span>• </span></span>Persistence using autorun keys</li> <li><span style="font-size: 18px;"><span>• </span></span>Keylogger</li> <li><span style="font-size: 18px;"><span>• </span></span>Directory and file listing</li> <li><span style="font-size: 18px;"><span>• </span></span>Downloading secondary payloads from the C2 server</li> <li><span style="font-size: 18px;"><span>• </span></span>Exfiltrating collected information from the host to the C2 server</li> <li><span style="font-size: 18px;"><span>• </span></span>Executing arbitrary commands via cmd.exe or PowerShell</li> </ul> <h3 style="font-size: 36px;"><span style="color: #434343;">KGH Backdoor: Keylogger Functionality</span></h3> <p>The KGH backdoor has a keylogger functionality built into its code, which is achieved by <a href="https://eyeofrablog.wordpress.com/2017/06/11/windows-keylogger-part-1-attack-on-user-land/" rel="noopener" target="_blank"><span>a common technique</span></a> of polling the <a href="https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getasynckeystate" rel="noopener" target="_blank"><span>GetAsyncKeyState</span></a>() function:</p> <p style="text-align: center;"><span style="font-size: 10pt; color: #1155cc;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky19.png?width=612&name=kimsuky19.png" alt="kimsuky19" width="612" style="width: 612px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky19.png?width=306&name=kimsuky19.png 306w, https://www.cybereason.com/hs-fs/hubfs/kimsuky19.png?width=612&name=kimsuky19.png 612w, https://www.cybereason.com/hs-fs/hubfs/kimsuky19.png?width=918&name=kimsuky19.png 918w, https://www.cybereason.com/hs-fs/hubfs/kimsuky19.png?width=1224&name=kimsuky19.png 1224w, https://www.cybereason.com/hs-fs/hubfs/kimsuky19.png?width=1530&name=kimsuky19.png 1530w, https://www.cybereason.com/hs-fs/hubfs/kimsuky19.png?width=1836&name=kimsuky19.png 1836w" sizes="(max-width: 612px) 100vw, 612px"></span></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Excerpt from KGH’s Keylogger function</span></em></p> <p>The recorded keystrokes are stored in the “lg” folder in %appdata% with the file extension “.x”</p> <h3 style="font-size: 36px;"><span style="color: #434343;">KGH Backdoor Secondary Payloads</span></h3> <p>The KGH backdoor contacts the C2 with URL <em>“csv.posadadesantiago[.]com/home?act=news&id=[Machine_name]”</em> and saves the response to <em>“C:\Users\user\AppData\Local\Temp\n.x”:</em></p> <p style="text-align: center;"><span style="font-size: 14pt; color: #434343;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky20.png?width=834&name=kimsuky20.png" alt="kimsuky20" width="834" style="width: 834px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky20.png?width=417&name=kimsuky20.png 417w, https://www.cybereason.com/hs-fs/hubfs/kimsuky20.png?width=834&name=kimsuky20.png 834w, https://www.cybereason.com/hs-fs/hubfs/kimsuky20.png?width=1251&name=kimsuky20.png 1251w, https://www.cybereason.com/hs-fs/hubfs/kimsuky20.png?width=1668&name=kimsuky20.png 1668w, https://www.cybereason.com/hs-fs/hubfs/kimsuky20.png?width=2085&name=kimsuky20.png 2085w, https://www.cybereason.com/hs-fs/hubfs/kimsuky20.png?width=2502&name=kimsuky20.png 2502w" sizes="(max-width: 834px) 100vw, 834px"></span><span style="color: #5e5f5f;"></span></p> <p style="text-align: center;"><em><span style="color: #5e5f5f;">URL string in KGH Backdoor</span></em></p> <p>The KGH backdoor will then parse the contents of “n.x”. The “n.x” file may contain an “SHL”, “DLL” or “EXE” file.</p> <p>In case it is a “DLL” or an “EXE” the KGH backdoor will execute the file. In case the downloaded file contains an “SHL” file, the KGH backdoor will parse the file to retrieve commands sent by the C2:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky21.png?width=703&name=kimsuky21.png" alt="kimsuky21" width="703" style="width: 703px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky21.png?width=352&name=kimsuky21.png 352w, https://www.cybereason.com/hs-fs/hubfs/kimsuky21.png?width=703&name=kimsuky21.png 703w, https://www.cybereason.com/hs-fs/hubfs/kimsuky21.png?width=1055&name=kimsuky21.png 1055w, https://www.cybereason.com/hs-fs/hubfs/kimsuky21.png?width=1406&name=kimsuky21.png 1406w, https://www.cybereason.com/hs-fs/hubfs/kimsuky21.png?width=1758&name=kimsuky21.png 1758w, https://www.cybereason.com/hs-fs/hubfs/kimsuky21.png?width=2109&name=kimsuky21.png 2109w" sizes="(max-width: 703px) 100vw, 703px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Check “n.x” file type code from KGH backdoor </span></em></p> <a id="backdoor-commands" data-hs-anchor="true"></a> <h3 style="font-size: 36px;"><span style="color: #434343;">KGH Backdoor Commands</span></h3> <p>The KGH backdoor has a predefined set of commands that it receives from the server: </p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky22.png?width=845&name=kimsuky22.png" alt="kimsuky22" width="845" style="width: 845px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky22.png?width=423&name=kimsuky22.png 423w, https://www.cybereason.com/hs-fs/hubfs/kimsuky22.png?width=845&name=kimsuky22.png 845w, https://www.cybereason.com/hs-fs/hubfs/kimsuky22.png?width=1268&name=kimsuky22.png 1268w, https://www.cybereason.com/hs-fs/hubfs/kimsuky22.png?width=1690&name=kimsuky22.png 1690w, https://www.cybereason.com/hs-fs/hubfs/kimsuky22.png?width=2113&name=kimsuky22.png 2113w, https://www.cybereason.com/hs-fs/hubfs/kimsuky22.png?width=2535&name=kimsuky22.png 2535w" sizes="(max-width: 845px) 100vw, 845px"></p> <p style="text-align: center;"><em><span style="color: #5e5f5f;"><span style="font-size: 16px;">KGH’s backdoor commands</span></span></em></p> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 815px; height: 360px;"> <tbody> <tr style="height: 63px;"> <td style="border: 1pt solid #000000; width: 102px; background-color: #eeeeee; height: 63px; padding: 4px;"> <p><strong>Command</strong></p> </td> <td style="border: 1pt solid #000000; width: 712.5px; background-color: #eeeeee; height: 63px; padding: 4px;"> <p><strong>Purpose</strong></p> </td> </tr> <tr style="height: 47px;"> <td style="border: 1pt solid #000000; width: 102px; height: 47px; padding: 4px;"> <p><span style="font-size: 13px;">upf</span></p> </td> <td style="border: 1pt solid #000000; width: 712.5px; height: 47px; padding: 4px;"> <p><span style="font-size: 13px;">Uploads files to the C2</span></p> </td> </tr> <tr style="height: 58px;"> <td style="border: 1pt solid #000000; width: 102px; height: 58px; padding: 4px;"> <p><span style="font-size: 13px;">tre</span></p> </td> <td style="border: 1pt solid #000000; width: 712.5px; height: 58px; padding: 4px;"> <p><span style="font-size: 13px;">Create a list of all files in the system using the “tree” command, save to a file named “c.txt” and upload the file to the C2</span></p> </td> </tr> <tr style="height: 64px;"> <td style="border: 1pt solid #000000; width: 102px; height: 64px; padding: 4px;"> <p><span style="font-size: 13px;">wbi</span></p> </td> <td style="border: 1pt solid #000000; width: 712.5px; height: 64px; padding: 4px;"> <p><span style="font-size: 13px;">Download “m.dll” browser stealer module and exfiltrates stolen data</span></p> </td> </tr> <tr style="height: 64px;"> <td style="border: 1pt solid #000000; width: 102px; height: 64px; padding: 4px;"> <p><span style="font-size: 13px;">cmd</span></p> </td> <td style="border: 1pt solid #000000; width: 712.5px; height: 64px; padding: 4px;"> <p><span style="font-size: 13px;">Execute a cmd shell command</span></p> </td> </tr> <tr style="height: 64px;"> <td style="border: 1pt solid #000000; width: 102px; height: 64px; padding: 4px;"> <p><span style="font-size: 13px;">pws</span></p> </td> <td style="border: 1pt solid #000000; width: 712.5px; height: 64px; padding: 4px;"> <p><span style="font-size: 13px;">Execute a powershell command </span></p> </td> </tr> </tbody> </table> <p> </p> <p>List of files generated by or downloaded by the KGH backdoor: </p> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 818px; height: 555px;" height="610"> <tbody> <tr style="height: 72px;"> <td style="border: 1pt solid #000000; width: 357px; background-color: #eeeeee; height: 72px; padding: 4px;"> <p><strong>File</strong></p> </td> <td style="border: 1pt solid #000000; width: 459px; background-color: #eeeeee; height: 72px; padding: 4px;"> <p><strong>Purpose</strong></p> </td> </tr> <tr style="height: 73px;"> <td style="border: 1pt solid #000000; width: 357px; height: 73px; padding: 4px;"> <p><span style="font-size: 13px;">C:\Users\user\AppData\Roaming\lg\[year_month_day].x</span></p> </td> <td style="border: 1pt solid #000000; width: 459px; height: 73px; padding: 4px;"> <p><span style="font-size: 13px;">Keylogger stolen data storage</span></p> </td> </tr> <tr style="height: 73px;"> <td style="border: 1pt solid #000000; width: 357px; height: 73px; padding: 4px;"> <p><span style="font-size: 13px;">C:\Users\user\AppData\Local\Temp\n.x</span></p> </td> <td style="border: 1pt solid #000000; width: 459px; height: 73px; padding: 4px;"> <p><span style="font-size: 13px;">Payload downloaded from the server</span></p> </td> </tr> <tr style="height: 166px;"> <td style="border: 1pt solid #000000; width: 357px; height: 166px; padding: 4px;"> <p><span style="font-size: 13px;">C:\Users\user\AppData\Local\Temp\C.txt</span></p> </td> <td style="border: 1pt solid #000000; width: 459px; height: 166px; padding: 4px;"> <p><span style="font-size: 13px;">Output of tree command (directory and files listing)</span></p> <p><span style="font-size: 13px;">C:\Windows\System32\cmd.exe /c tree /f C:\ >> C:\Users\user\AppData\Local\Temp\C.txt</span></p> </td> </tr> <tr style="height: 52px;"> <td style="border: 1pt solid #000000; width: 357px; height: 52px; padding: 4px;"> <p><span style="font-size: 13px;">C:\Users\user\Documents\w.x</span></p> </td> <td style="border: 1pt solid #000000; width: 459px; height: 52px; padding: 4px;"> <p><span style="font-size: 13px;">Stolen browser data (from m.dll module)</span></p> </td> </tr> <tr style="height: 44px;"> <td style="border: 1pt solid #000000; width: 357px; height: 44px; padding: 4px;"> <p><span style="font-size: 13px;">sig.x</span></p> </td> <td style="border: 1pt solid #000000; width: 459px; height: 44px; padding: 4px;"> <p><span style="font-size: 13px;">Likely checks write permission to the disk</span></p> </td> </tr> <tr style="height: 75px;"> <td style="border: 1pt solid #000000; width: 357px; height: 75px; padding: 4px;"> <p><span style="font-size: 13px;">C:\test1.txt</span></p> </td> <td style="border: 1pt solid #000000; width: 459px; height: 75px; padding: 4px;"> <p><span style="font-size: 13px;">N/A</span></p> </td> </tr> </tbody> </table> <a id="infostealer-module" data-hs-anchor="true"></a> <h3 style="line-height: 1.75; font-size: 36px;">KGH Infostealer Module (m.dll)</h3> <p>Another component of the KGH suite is the m.dll module, which is an information stealer that harvest data from browsers, Windows Credential Manager, WINSCP and mail clients. The infostealer module is not detected by any AV vendor at the time of writing this report: </p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky23.png?width=820&name=kimsuky23.png" alt="kimsuky23" width="820" style="width: 820px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky23.png?width=410&name=kimsuky23.png 410w, https://www.cybereason.com/hs-fs/hubfs/kimsuky23.png?width=820&name=kimsuky23.png 820w, https://www.cybereason.com/hs-fs/hubfs/kimsuky23.png?width=1230&name=kimsuky23.png 1230w, https://www.cybereason.com/hs-fs/hubfs/kimsuky23.png?width=1640&name=kimsuky23.png 1640w, https://www.cybereason.com/hs-fs/hubfs/kimsuky23.png?width=2050&name=kimsuky23.png 2050w, https://www.cybereason.com/hs-fs/hubfs/kimsuky23.png?width=2460&name=kimsuky23.png 2460w" sizes="(max-width: 820px) 100vw, 820px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">KGH infostealer module is undetected by any Antivirus vendors</span></em></p> <p>The PDB path embedded in the m.dll module further shows a clear connection to the KGH backdoor, as it is named <em>“KGH_Browser-Master”:</em></p> <p style="text-align: center;"><span style="font-size: 10pt; color: #1155cc;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=844&name=kimsuky6.png" alt="kimsuky6" width="844" style="width: 844px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=422&name=kimsuky6.png 422w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=844&name=kimsuky6.png 844w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=1266&name=kimsuky6.png 1266w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=1688&name=kimsuky6.png 1688w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=2110&name=kimsuky6.png 2110w, https://www.cybereason.com/hs-fs/hubfs/kimsuky6.png?width=2532&name=kimsuky6.png 2532w" sizes="(max-width: 844px) 100vw, 844px"></span></p> <p style="text-align: center;"><span style="font-size: 16px;"><em><span style="color: #5e5f5f;">E:\SPY\WebBrowser\KGH_Browser-Master\x64\Release\KGH_Browser-Master.pdb</span></em></span></p> <p>The “SPY” user was also observed in PDB of the “CSPY Downloader”, which is also mentioned in this report: </p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=379&name=kimsuky25.png" alt="kimsuky25" width="379" style="width: 379px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=190&name=kimsuky25.png 190w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=379&name=kimsuky25.png 379w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=569&name=kimsuky25.png 569w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=758&name=kimsuky25.png 758w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=948&name=kimsuky25.png 948w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=1137&name=kimsuky25.png 1137w" sizes="(max-width: 379px) 100vw, 379px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">PDB Path of the CSPY Downloader</span></em></p> <p>The infostealer module steals information stored (cookies, credentials) in the following applications: </p> <ul> <ul> <li><span style="font-size: 18px;"><strong><span>• </span>Browsers</strong>: Chrome, IE / Edge, Firefox, Opera</span></li> </ul> </ul> <ul> <li><span style="font-size: 18px;"><strong><span>• </span>WinSCP Client</strong></span></li> </ul> <ul> <li><span style="font-size: 18px;"><strong><span>• </span>Windows Credential Manager</strong></span></li> </ul> <ul> <li><span style="font-size: 18px;"><strong><span>• </span>Mozilla Thunderbird Mail Client</strong></span><br><br></li> </ul> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky26.png?width=827&name=kimsuky26.png" alt="kimsuky26" width="827" style="width: 827px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky26.png?width=414&name=kimsuky26.png 414w, https://www.cybereason.com/hs-fs/hubfs/kimsuky26.png?width=827&name=kimsuky26.png 827w, https://www.cybereason.com/hs-fs/hubfs/kimsuky26.png?width=1241&name=kimsuky26.png 1241w, https://www.cybereason.com/hs-fs/hubfs/kimsuky26.png?width=1654&name=kimsuky26.png 1654w, https://www.cybereason.com/hs-fs/hubfs/kimsuky26.png?width=2068&name=kimsuky26.png 2068w, https://www.cybereason.com/hs-fs/hubfs/kimsuky26.png?width=2481&name=kimsuky26.png 2481w" sizes="(max-width: 827px) 100vw, 827px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Main Infostealing routine</span></em></p> <p>The stolen information is written to a file called “w.x”: </p> <p><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky27-1.png?width=757&name=kimsuky27-1.png" alt="kimsuky27-1" width="757" style="width: 757px; display: block; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky27-1.png?width=379&name=kimsuky27-1.png 379w, https://www.cybereason.com/hs-fs/hubfs/kimsuky27-1.png?width=757&name=kimsuky27-1.png 757w, https://www.cybereason.com/hs-fs/hubfs/kimsuky27-1.png?width=1136&name=kimsuky27-1.png 1136w, https://www.cybereason.com/hs-fs/hubfs/kimsuky27-1.png?width=1514&name=kimsuky27-1.png 1514w, https://www.cybereason.com/hs-fs/hubfs/kimsuky27-1.png?width=1893&name=kimsuky27-1.png 1893w, https://www.cybereason.com/hs-fs/hubfs/kimsuky27-1.png?width=2271&name=kimsuky27-1.png 2271w" sizes="(max-width: 757px) 100vw, 757px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Creation of the “w.x” file that stores the stolen data</span></em></p> <a id="cspy-downloader" data-hs-anchor="true"></a> <h3 style="line-height: 1.75; font-size: 36px;">CSPY Downloader - A New Downloader in the Arsenal</h3> <p>When hunting for some of the URI patterns mentioned in the <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" rel="noopener" target="_blank"><span>US-CERT report</span></a> (<em>“/home/dwn.php?van=101”</em>), another malicious executable was found communicating with the C2 <em>wave.posadadesantiago[.]com</em>, named <em>winload.exe</em>.</p> <p><span style="background-color: #ffffff;">This sample was delivered by a <a href="https://www.virustotal.com/gui/file/252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c/detection" style="background-color: #ffffff;" rel="noopener" target="_blank">malicious document</a> named “Interview with a north Korean defector”. The macro embedded inside unpacks and executes <em>winload.exe</em>.</span></p> <p>Upon analysis, the Nocturnus determined that winload.exe is a new type of a downloader, dubbed “CSPY” by Cybereason, that is packed with robust evasion techniques meant to ensure that the “coast is clear” and that the malware does not run in a context of a virtual machine or analysis tools before it continues to download secondary payloads: </p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky28.png?width=801&name=kimsuky28.png" alt="kimsuky28" width="801" style="width: 801px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky28.png?width=401&name=kimsuky28.png 401w, https://www.cybereason.com/hs-fs/hubfs/kimsuky28.png?width=801&name=kimsuky28.png 801w, https://www.cybereason.com/hs-fs/hubfs/kimsuky28.png?width=1202&name=kimsuky28.png 1202w, https://www.cybereason.com/hs-fs/hubfs/kimsuky28.png?width=1602&name=kimsuky28.png 1602w, https://www.cybereason.com/hs-fs/hubfs/kimsuky28.png?width=2003&name=kimsuky28.png 2003w, https://www.cybereason.com/hs-fs/hubfs/kimsuky28.png?width=2403&name=kimsuky28.png 2403w" sizes="(max-width: 801px) 100vw, 801px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">VirusTotal uploads of winload.exe communicating with the above mentioned C2</span></em></p> <p>This file is mentioned in the report by <a href="https://blog.alyac.co.kr/3052" rel="noopener" target="_blank"><span>ESTSecurity</span></a>. In alignment with the findings there, it is packed with UPX, has resources in Korean, Anti-VM functionality and a timestamp that is tempered to July 30, 2016:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=397&name=kimsuky25.png" alt="kimsuky25" width="397" style="width: 397px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=199&name=kimsuky25.png 199w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=397&name=kimsuky25.png 397w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=596&name=kimsuky25.png 596w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=794&name=kimsuky25.png 794w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=993&name=kimsuky25.png 993w, https://www.cybereason.com/hs-fs/hubfs/kimsuky25.png?width=1191&name=kimsuky25.png 1191w" sizes="(max-width: 397px) 100vw, 397px"></p> <p style="text-align: center; font-size: 16px;"><span style="background-color: #ffffff;"><em><span style="color: #5e5f5f;">The PDB Path of the CSPY Downloader</span></em></span></p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky29.png?width=817&name=kimsuky29.png" alt="kimsuky29" width="817" style="width: 817px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky29.png?width=409&name=kimsuky29.png 409w, https://www.cybereason.com/hs-fs/hubfs/kimsuky29.png?width=817&name=kimsuky29.png 817w, https://www.cybereason.com/hs-fs/hubfs/kimsuky29.png?width=1226&name=kimsuky29.png 1226w, https://www.cybereason.com/hs-fs/hubfs/kimsuky29.png?width=1634&name=kimsuky29.png 1634w, https://www.cybereason.com/hs-fs/hubfs/kimsuky29.png?width=2043&name=kimsuky29.png 2043w, https://www.cybereason.com/hs-fs/hubfs/kimsuky29.png?width=2451&name=kimsuky29.png 2451w" sizes="(max-width: 817px) 100vw, 817px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">PDB Path and resources of the malware</span></em></p> <p>The file is also signed with the following revoked certificate. As can be seen, the signing date may be fake as well. EGIS Co., Ltd certificate issuer was previously reported to be <a href="https://blog.alyac.co.kr/2299" rel="noopener" target="_blank"><span>used by Kimsuky</span></a>:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky30.png?width=626&name=kimsuky30.png" alt="kimsuky30" width="626" style="width: 626px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky30.png?width=313&name=kimsuky30.png 313w, https://www.cybereason.com/hs-fs/hubfs/kimsuky30.png?width=626&name=kimsuky30.png 626w, https://www.cybereason.com/hs-fs/hubfs/kimsuky30.png?width=939&name=kimsuky30.png 939w, https://www.cybereason.com/hs-fs/hubfs/kimsuky30.png?width=1252&name=kimsuky30.png 1252w, https://www.cybereason.com/hs-fs/hubfs/kimsuky30.png?width=1565&name=kimsuky30.png 1565w, https://www.cybereason.com/hs-fs/hubfs/kimsuky30.png?width=1878&name=kimsuky30.png 1878w" sizes="(max-width: 626px) 100vw, 626px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Kimsuky’s typical revoked certificate</span></em></p> <p>When further examining the file, some interesting functionality can be found. Indicative strings and API calls can be decrypted b<span style="background-color: #ffffff;">y deducting 1 from each character, similar to the KGH backdoor whose strings can be decrypted by deducting 5 from each character.</span> When decrypting the strings, the malware’s full logs are revealed. The log file is stored in <em>%appdata%\microsoft\NTUSERS.log</em>:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky31-a.png?width=406&name=kimsuky31-a.png" alt="kimsuky31-a" width="406" style="width: 406px; float: left; margin: 0px 10px 10px 0px;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky31-a.png?width=203&name=kimsuky31-a.png 203w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-a.png?width=406&name=kimsuky31-a.png 406w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-a.png?width=609&name=kimsuky31-a.png 609w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-a.png?width=812&name=kimsuky31-a.png 812w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-a.png?width=1015&name=kimsuky31-a.png 1015w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-a.png?width=1218&name=kimsuky31-a.png 1218w" sizes="(max-width: 406px) 100vw, 406px"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky31-b.png?width=402&name=kimsuky31-b.png" alt="kimsuky31-b" width="402" style="width: 402px;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky31-b.png?width=201&name=kimsuky31-b.png 201w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-b.png?width=402&name=kimsuky31-b.png 402w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-b.png?width=603&name=kimsuky31-b.png 603w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-b.png?width=804&name=kimsuky31-b.png 804w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-b.png?width=1005&name=kimsuky31-b.png 1005w, https://www.cybereason.com/hs-fs/hubfs/kimsuky31-b.png?width=1206&name=kimsuky31-b.png 1206w" sizes="(max-width: 402px) 100vw, 402px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Decrypted logging strings of CSPY Downloader</span></em></p> <p>It is interesting to note that some of the abovementioned log strings are grammatically incorrect, which can suggest that the malware author is not a native English speaker.</p> <p><span style="background-color: #ffffff;">The above logs imply that this sample might be a debug version of the malware. In many cases, debug versions are used by the malware authors for testing new malware or new features. This can also suggest that the malware is newly developed and has not been fully operationalized yet. Another clue that points to this assumption is that some parts of the malware code seem to be buggy or incomplete.</span></p> <a id="anti-analysis" data-hs-anchor="true"></a> <h3 style="font-size: 36px;"><span style="color: #434343;">Anti-analysis Techniques</span></h3> <p>Prior to downloading secondary payloads, CSPY Downloader initiates an extensive series of checks to determine if it is being debugged or running in a virtual environment, by searching for specific virtualization-related loaded modules, the process PEB structure, various file paths, registry keys, and memory:</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky33.png?width=851&name=kimsuky33.png" alt="kimsuky33" width="851" style="width: 851px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky33.png?width=426&name=kimsuky33.png 426w, https://www.cybereason.com/hs-fs/hubfs/kimsuky33.png?width=851&name=kimsuky33.png 851w, https://www.cybereason.com/hs-fs/hubfs/kimsuky33.png?width=1277&name=kimsuky33.png 1277w, https://www.cybereason.com/hs-fs/hubfs/kimsuky33.png?width=1702&name=kimsuky33.png 1702w, https://www.cybereason.com/hs-fs/hubfs/kimsuky33.png?width=2128&name=kimsuky33.png 2128w, https://www.cybereason.com/hs-fs/hubfs/kimsuky33.png?width=2553&name=kimsuky33.png 2553w" sizes="(max-width: 851px) 100vw, 851px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">A list of methods performing anti-analysis checks by the malware</span></em></p> <p><span style="background-color: #ffffff;">It is worth mentioning that the <a href="https://www.virustotal.com/gui/file/252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c/" style="background-color: #ffffff;" rel="noopener" target="_blank">document</a> which unpacks CSPY Downlader, runs an almost identical series of Anti-VM techniques prior to dropping the downloader, which highlights the attackers’ efforts to avoid detection and remain under-the-radar.</span></p> <p>After the anti-analysis checks are complete, the loader starts preparing the infected environment for the downloading of additional payloads.<span style="background-color: #ffffff;"> There are 3 download attempts (and thus 3 GET requests trailing by a different numeric ID), the payloads are downloaded subsequently to the user’s %temp% folder.</span></p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky36.png?width=815&name=kimsuky36.png" alt="kimsuky36" width="815" style="width: 815px; margin: 0px auto;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky36.png?width=408&name=kimsuky36.png 408w, https://www.cybereason.com/hs-fs/hubfs/kimsuky36.png?width=815&name=kimsuky36.png 815w, https://www.cybereason.com/hs-fs/hubfs/kimsuky36.png?width=1223&name=kimsuky36.png 1223w, https://www.cybereason.com/hs-fs/hubfs/kimsuky36.png?width=1630&name=kimsuky36.png 1630w, https://www.cybereason.com/hs-fs/hubfs/kimsuky36.png?width=2038&name=kimsuky36.png 2038w, https://www.cybereason.com/hs-fs/hubfs/kimsuky36.png?width=2445&name=kimsuky36.png 2445w" sizes="(max-width: 815px) 100vw, 815px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Payloads download method</span></em></p> <p><span style="background-color: #ffffff;">After downloading the payloads, they are moved and renamed. The whole process can be summarized as follows:</span><span style="background-color: #ffffff;"></span></p> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; height: 252px;" width="761" height="294"> <tbody> <tr style="height: 30px;"> <td style="border: 1pt solid #000000; width: 139px; height: 30px; background-color: #eeeeee; padding: 4px;"> <p><span style="background-color: #eeeeee;"><strong>Download URI</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 158px; height: 30px; background-color: #eeeeee; padding: 4px;"> <p><span style="background-color: #eeeeee;"><strong>Filename</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 322px; height: 30px; background-color: #eeeeee; padding: 4px;"> <p><span style="background-color: #eeeeee;"><strong>Copied To</strong></span></p> </td> <td style="border: 1pt solid #000000; width: 141px; height: 30px; background-color: #eeeeee; padding: 4px;"> <p><span style="background-color: #eeeeee;"><strong>Purpose</strong></span></p> </td> </tr> <tr style="height: 74px;"> <td style="border: 1pt solid #000000; width: 139px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">dwn.php?van=10860</span></p> </td> <td style="border: 1pt solid #000000; width: 158px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">dwn.dat0</span></p> </td> <td style="border: 1pt solid #000000; width: 322px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">%temp%\Appx.exe</span></p> </td> <td style="border: 1pt solid #000000; width: 141px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">Main executable</span></p> </td> </tr> <tr style="height: 74px;"> <td style="border: 1pt solid #000000; width: 139px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">dwn.php?van=101</span></p> </td> <td style="border: 1pt solid #000000; width: 158px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">dwn.dat1</span></p> </td> <td style="border: 1pt solid #000000; width: 322px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">C:\Users\Public\Documents\AppxUp\BSup.hf</span></p> </td> <td style="border: 1pt solid #000000; width: 141px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">Possible module</span></p> </td> </tr> <tr style="height: 74px;"> <td style="border: 1pt solid #000000; width: 139px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">dwn.php?van=102</span></p> </td> <td style="border: 1pt solid #000000; width: 158px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">dwn.dat2</span></p> </td> <td style="border: 1pt solid #000000; width: 322px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">C:\Users\Public\Documents\AppxUp\BCup.hf</span></p> </td> <td style="border: 1pt solid #000000; width: 141px; height: 74px; padding: 4px;"> <p><span style="background-color: #ffffff; font-size: 13px;">Possible module</span></p> </td> </tr> </tbody> </table> <p> </p> <p>To execute the main downloaded payload, the loader tries to masquerade as a legitimate Windows service, claiming in its fake description, that it is used to support packed applications:</p> <p style="text-align: center;"><img src="https://lh5.googleusercontent.com/NjA394ymAOYkiXMlc5ml8ibtbVzQZe-RUM_6GHcNSVDnrfuMt3dOLlTHlcOYQQH7m9bTJCCPki6jQFLZl_5FsymqETe74YXSyZYmIu8Rh9wBSDgetmBEf3e1KWykNQ-f4Pht-NbE" width="931" height="279"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Registering the freshly downloaded malware as a service</span></em></p> <p>In order to avoid raising suspicions from the victim, CSPY Downloader exploits <a href="https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz" rel="noopener" target="_blank"><span>a known UAC bypass technique</span></a> that uses the SilentCleanup task to execute the binary with elevated privileges.</p> <p style="text-align: center;"><img src="https://www.cybereason.com/hs-fs/hubfs/kimsuky38.png?width=805&name=kimsuky38.png" alt="kimsuky38" width="805" style="width: 805px;" srcset="https://www.cybereason.com/hs-fs/hubfs/kimsuky38.png?width=403&name=kimsuky38.png 403w, https://www.cybereason.com/hs-fs/hubfs/kimsuky38.png?width=805&name=kimsuky38.png 805w, https://www.cybereason.com/hs-fs/hubfs/kimsuky38.png?width=1208&name=kimsuky38.png 1208w, https://www.cybereason.com/hs-fs/hubfs/kimsuky38.png?width=1610&name=kimsuky38.png 1610w, https://www.cybereason.com/hs-fs/hubfs/kimsuky38.png?width=2013&name=kimsuky38.png 2013w, https://www.cybereason.com/hs-fs/hubfs/kimsuky38.png?width=2415&name=kimsuky38.png 2415w" sizes="(max-width: 805px) 100vw, 805px"></p> <p style="text-align: center; font-size: 16px;"><em><span style="color: #5e5f5f;">Using schtasks utility to disable UAC</span></em></p> <p><span style="background-color: #ffffff;">As part of the exploitation process, the above value will be written to the registry under the %windir% variable, and deleted after execution. <em>Appx.exe</em> is moved once again, this time to <em>%programdata%\Microsoft\Windows</em> and registered as a service.</span></p> <p><span style="background-color: #ffffff;">Finally, CSpy will initiate its self-deletion method.</span></p> <a id="conclusion" data-hs-anchor="true"></a> <h3 style="font-size: 36px;">Conclusion</h3> <p>In this report we uncovered a new toolset infrastructure that is used by the Kimsuky group, a notorious activity group that has been operating on behalf of the North Korean regime since 2012. A close examination of the new infrastructure combined with pattern-analysis led Cybereason’s Nocturnus team to the discovery of the “KGH Spyware Suite”, a modular malware likely involved in recent espionage operations, and the “CSPY Downloader” - both were previously undocumented. </p> <p>In addition, our report shows certain interesting overlaps between older Kimsuky malware and servers and the newly discovered malware and infrastructure. Moreover, the report highlights several behavior-based and code similarities between the new malware samples and older known Kimsuky malware and TTPs. </p> <p>Throughout the report it is noticeable that the threat actors invested efforts in order to remain under the radar, by employing various anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques. At the time of writing this report, some of the samples mentioned in the report are still not detected by any AV vendor. </p> <p>While the identity of the victims of this campaign remains unclear, there are clues that can suggest that the infrastructure targeted organizations dealing with human rights violations. At the time of writing this report, there is not enough information available to Cybereason to determine this with a high certainty, and in any case, there could be<span style="background-color: #ffffff;"> a wide range of industries, organizations and individuals that were targeted by Kimsuky using this i</span>nfrastructure.</p> <a id="mitre-attack" data-hs-anchor="true"></a> <h3 style="font-size: 36px;">MITRE ATT&CK BREAKDOWN</h3> <table style="border: none #99acc2; border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; width: 983px; height: 693.333px;"> <tbody> <tr style="height: 89px;"> <td style="background-color: #eeeeee; border: 0.75pt solid #99acc2; width: 119px; padding: 4px; height: 89px;"> <p style="text-align: center;"><strong><span style="font-size: 10pt; color: #596a6f;">Reconnaissance</span></strong></p> </td> <td style="background-color: #eeeeee; border: 0.75pt solid #99acc2; width: 101px; padding: 4px; height: 89px;"> <p style="text-align: center;"><strong><span style="font-size: 10pt; color: #596a6f;">Initial Access</span></strong></p> </td> <td style="background-color: #eeeeee; border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 89px;"> <p style="text-align: center;"><strong><span style="font-size: 10pt; color: #596a6f;">Execution</span></strong></p> </td> <td style="background-color: #eeeeee; border: 0.75pt solid #99acc2; width: 97px; padding: 4px; height: 89px;"> <p style="text-align: center;"><strong><span style="font-size: 10pt; color: #596a6f;">Persistence</span></strong></p> </td> <td style="background-color: #eeeeee; border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 89px;"> <p style="text-align: center;"><strong><span style="font-size: 10pt; color: #596a6f;">Defense Evasion</span></strong></p> </td> <td style="background-color: #eeeeee; border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 89px;"> <p style="text-align: center;"><strong><span style="font-size: 10pt; color: #596a6f;">Credential Access</span></strong></p> </td> <td style="background-color: #eeeeee; border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 89px;"> <p style="text-align: center;"><strong><span style="font-size: 10pt; color: #596a6f;">Discovery</span></strong></p> </td> <td style="background-color: #eeeeee; border: 0.75pt solid #99acc2; width: 107px; padding: 4px; height: 89px;"> <p style="text-align: center;"><strong><span style="font-size: 10pt; color: #596a6f;">Collection</span></strong></p> </td> <td style="background-color: #eeeeee; border: 0.75pt solid #99acc2; width: 105px; padding: 4px; height: 89px;"> <p style="text-align: center;"><strong><span style="font-size: 10pt; color: #596a6f;">Exfiltration</span></strong></p> </td> </tr> <tr style="height: 147px;"> <td style="border: 0.75pt solid #99acc2; width: 119px; padding: 4px; height: 147px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1592/" style="font-size: 10pt; color: #00a0df;"><span>Gather Victim Host Information</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 101px; padding: 4px; height: 147px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1566/" style="font-size: 10pt; color: #00a0df;"><span>Phishing</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 147px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1059/" style="font-size: 10pt; color: #00a0df;"><span>Command and Scripting Interpreter</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 97px; padding: 4px; height: 147px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1547/001/" style="font-size: 10pt; color: #00a0df;"><span>Registry Run Keys </span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 147px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1036/" style="font-size: 10pt; color: #00a0df;"><span>Masquerading</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 147px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1555/003/" style="font-size: 10pt; color: #00a0df;"><span>Credentials from Web Browsers</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 147px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1083/" style="font-size: 10pt; color: #00a0df;"><span>File and Directory Discovery</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 107px; padding: 4px; height: 147px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1056/001/" style="font-size: 10pt; color: #00a0df;"><span>Keylogging</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 105px; padding: 4px; height: 147px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1041/" style="font-size: 10pt; color: #00a0df;"><span>Exfiltration Over C2 Channel</span></a></p> </td> </tr> <tr style="height: 153px;"> <td style="border: 0.75pt solid #99acc2; width: 119px; padding: 4px; height: 153px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1590/" style="font-size: 10pt; color: #00a0df;"><span>Gather Victim Network Information</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 101px; padding: 4px; height: 153px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 153px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1204/" style="font-size: 10pt; color: #00a0df;"><span>User Execution</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 97px; padding: 4px; height: 153px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1037/001/" style="font-size: 10pt; color: #00a0df;"><span>Logon Script (Windows)</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 153px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1548/002" style="font-size: 10pt; color: #00a0df;"><span>Bypass User Account Control</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 153px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1056/001/" style="font-size: 10pt; color: #00a0df;"><span>Keylogging</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 153px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1082/" style="font-size: 10pt; color: #00a0df;"><span>System Information Discovery</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 107px; padding: 4px; height: 153px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 105px; padding: 4px; height: 153px;"> </td> </tr> <tr style="height: 182px;"> <td style="border: 0.75pt solid #99acc2; width: 119px; padding: 4px; height: 182px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 101px; padding: 4px; height: 182px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 182px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 97px; padding: 4px; height: 182px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1543/003/" rel="noopener"><span style="font-size: 10pt; color: #00a0df;">Windows </span><span style="font-size: 10pt; color: #00a0df;"> Service</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 182px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1070/006/" style="font-size: 10pt; color: #00a0df;"><span>Timestomp</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 182px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1539/" style="font-size: 10pt; color: #00a0df;"><span>Steal Web Session Cookie</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 182px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1016/" style="font-size: 10pt; color: #00a0df;"><span>System Network Configuration Discovery</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 107px; padding: 4px; height: 182px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 105px; padding: 4px; height: 182px;"> </td> </tr> <tr style="height: 121px;"> <td style="border: 0.75pt solid #99acc2; width: 119px; padding: 4px; height: 121px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 101px; padding: 4px; height: 121px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 121px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 97px; padding: 4px; height: 121px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 111px; padding: 4px; height: 121px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1027/002/" style="font-size: 10pt; color: #00a0df;"><span>Software Packing</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 121px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 116px; padding: 4px; height: 121px;"> <p style="text-align: center;"><a href="https://attack.mitre.org/techniques/T1497/" style="font-size: 10pt; color: #00a0df;"><span>Virtualization/Sandbox Evasion</span></a></p> </td> <td style="border: 0.75pt solid #99acc2; width: 107px; padding: 4px; height: 121px;"> </td> <td style="border: 0.75pt solid #99acc2; width: 105px; padding: 4px; height: 121px;"> </td> </tr> </tbody> </table> <h3 style="font-size: 8px;"> </h3> <a id="IOCs" data-hs-anchor="true"></a> <h3 style="font-size: 36px;"><span style="font-family: 'Barlow Condensed', sans-serif; letter-spacing: 0px; background-color: transparent;">Indicators of Compromise</span></h3> <p><strong><span style="font-size: 13pt;">URLs:</span></strong></p> <p>http://csv.posadadesantiago[.]com/home?act=news&id=[Machine_name]</p> <p>http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=upf&ver=x64</p> <p>http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=tre&ver=x64</p> <p>http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=wbi&ver=x64</p> <p>http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=cmd&ver=x64</p> <p>http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=pws&ver=x64</p> <p>http://csv.posadadesantiago[.]com/home?id=[Machine_name]&act=sbk&ver=x64</p> <p>http://csv.posadadesantiago[.]com/home/up.php?id=[Machine_name]</p> <p>http://myaccounts.posadadesantiago[.]com/test/Update.php?wShell=201</p> <p><span style="background-color: #ffffff;">http://wave.posadadesantiago[.]com/home/dwn.php?van=10860</span></p> <p><span style="background-color: #ffffff;">http://wave.posadadesantiago[.]com/home/dwn.php?van=101</span></p> <p><span style="background-color: #ffffff;">http://wave.posadadesantiago[.]com/home/dwn.php?van=102</span></p> <p><strong><span style="font-size: 13pt;">Domains</span></strong></p> <p>csv.posadadesantiago[.]com</p> <p>wave.posadadesantiago[.]com</p> <p>myaccounts.posadadesantiago[.]com</p> <p>www.eventosatitlan[.]com</p> <p><strong><span style="font-size: 13pt;">IPs</span></strong></p> <p>173.205.125.124</p> <p><strong><span style="font-size: 13pt;">Malicious Documents</span></strong></p> <p>97d4898c4e70335f0adbbace34593236cb84e849592e5971a797554d3605d323</p> <p>d88c5695ccd83dce6729b84c8c43e8a804938a7ab7cfeccaa0699d6b1f81c95c</p> <p>7af3930958f84e0b64f8297d1a556aab359bb65691208dc88ea4fc9698250c43</p> <p><span style="font-size: 11.5pt; color: #1d1c1d;">252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c</span></p> <p><strong><span style="font-size: 13pt;">KGH SPYWARE SUITE</span></strong></p> <p>Bcf4113ec8e888163f1197a1dd9430a0df46b07bc21aba9c9a1494d2d07a2ba9</p> <p>af13b16416760782ec81d587736cb4c9b2e7099afc10cb764eeb4c922ee8802f</p> <p>E4d28fd7e0fc63429fc199c1b683340f725f0bf9834345174ff0b6a3c0b1f60e</p> <p>66fc8b03bc0ab95928673e0ae7f06f34f17537caf159e178a452c2c56ba6dda7</p> <p>f989d13f7d0801b32735fee018e816f3a2783a47cff0b13d70ce2f1cbc754fb9</p> <p>Fa282932f1e65235dc6b7dba2b397a155a6abed9f7bd54afbc9b636d2f698b4b</p> <p>65fe4cd6deed85c3e39b9c1bb7c403d0e69565c85f7cd2b612ade6968db3a85c</p> <p><strong><span style="font-size: 13pt;">CSPY Downloader</span></strong></p> <p>7158099406d99db82b7dc9f6418c1189ee472ce3c25a3612a5ec5672ee282dc0</p> <p>e9ea5d4e96211a28fe97ecb21b7372311a6fa87ce23db4dd118dc204820e011c<br><br></p></span>    <div class="cr-blog-post__social-sharing"> <span>Share</span> <div id="hs_cos_wrapper_module_161724375084957" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-social_sharing" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <div class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_social_sharing" data-hs-cos-general-type="widget" data-hs-cos-type="social_sharing"> <a href="https://twitter.com/intent/tweet?original_referer=https://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite&utm_medium=social&utm_source=twitter&url=https://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite&utm_medium=social&utm_source=twitter&source=tweetbutton&text=" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/twitter-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on twitter"> </a> <a href="http://www.facebook.com/share.php?u=https://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite&utm_medium=social&utm_source=facebook" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/facebook-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on facebook"> </a> <a href="http://www.linkedin.com/shareArticle?mini=true&url=https://www.cybereason.com/blog/research/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite&utm_medium=social&utm_source=linkedin" target="_blank" rel="noopener" style="width:16px;"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/linkedin-gray.svg" class="hs-image-widget hs-image-social-sharing-24" style="height:16px;width:16px;" width="16" hspace="0" alt="Share on linkedin"> </a> </div></div> </div>  <div class="container columns cr-mln__author-listing-single"> <div class="column headshot is-3-full-hd is-3-desktop is-3-tablet is-12-mobile"> <img class="cr-speaker-headshot" src="https://www.cybereason.com/hubfs/CR_Owl_Web_Mono@3x%202.png" alt="Cybereason Nocturnus"> </div> <div class="column is-9-full-hd is-9-desktop is-12-mobile"> <span class="descriptor">About the Author</span> <h4>Cybereason Nocturnus</h4> <a class="social" href="https://www.linkedin.com/company/cybereason" target="_blank"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/icon-social-gray-linkedin.png"> </a> <a class="social" href="https://twitter.com/cr_nocturnus" target="_blank"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/blog-images/template-images/icon-social-gray-twitter.svg"> </a> <p>The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.</p> <a class="cr-button cr-button__min" href="https://www.cybereason.com/blog/authors/cybereason-nocturnus">All Posts by Cybereason Nocturnus</a> </div> </div>       <div id="hs_cos_wrapper_module_1649342860525315" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques"><img src="https://www.cybereason.com/hubfs/blog-post-text%20%2887%29.png" alt="Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques"></a> <h4><a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques"><span class="underline">Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques</span></a></h4> <p>Cybereason investigated multiple intrusions targeting technology and manufacturing companies located in Asia, Europe and North America. Based on the findings of our investigation, it appears that the goal behind these intrusions was to steal sensitive intellectual property for cyber espionage purposes...</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"><img src="https://www.cybereason.com/hubfs/strifewater.png" alt="StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations"></a> <h4><a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"><span class="underline">StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations</span></a></h4> <p>Cybereason discovered an undocumented RAT dubbed StrifeWater attributed to Iranian APT Moses Staff who deploy destructive ransomware following network infiltration and the exfiltration of sensitive data...</p> </div> </div> </div> </div> </section></div> </div>  <div class="column is-3-fullhd is-3-desktop is-12-mobile cr-malicious-life-network__sidebar"> <div class="cr-ml-sidebar--group"> <div class="top-stripe"></div> <div class="sidebar-block search-section"> <form action="/hs-search-results"> <input type="search" class="hs-search-field__input" name="term" autocomplete="on" placeholder="Search"> <input type="hidden" name="type" value="BLOG_POST"> <input type="hidden" name="type" value="LISTING_PAGE"> <button type="submit" class="arrow"></button> </form> </div> <div class="sidebar-block subscribe"> <a href="#blog-subscribe"> <h4>Subscribe</h4> <span>Never miss a blog.</span> </a> </div> <div class="sidebar-block recent-posts"> <h4>Recent Posts</h4> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/rsa-2025-key-submissions-trends" class="post-name"><span class="underline">RSAC 2025 - Key Trends from 100s of ‘Hackers & Threats’ Talk Submissions</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/threat-analysis-phorpiex-downloader" class="post-name"><span class="underline">Phorpiex - Downloader Delivering Ransomware</span></a> </div> </div> <div class="recent-posts__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/cve-2025-23006-sonicwall-critical-vulnerability" class="post-name"><span class="underline">CVE-2025-23006: Critical Vulnerability Discovered in SonicWall SMA 1000 Series</span></a> </div> </div> </div> <div class="sidebar-block category-listing"> <h4>Categories</h4> <ul> <li><a href="https://www.cybereason.com/blog/category/research">Research</a></li> <li><a href="https://www.cybereason.com/blog/category/podcasts">Podcasts</a></li> <li><a href="https://www.cybereason.com/blog/category/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/blog/category/resources">Resources</a></li> <li><a href="https://www.cybereason.com/blog/category/videos">Videos</a></li> <li><a href="https://www.cybereason.com/blog/category/news">News</a></li> </ul> <a class="rec-category__single--view-all" href="/blog/category/research">All Posts</a> </div> </div> </div> </div> </div> </div></div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-2 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="display: none;" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_1616011887658867" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <section class="cr-section related-posts__wrapper"> <div class="container container-is-blog page-center"> <h3>Related Posts</h3> <div class="columns is-multiline"> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques"><img src="https://www.cybereason.com/hubfs/blog-post-text%20%2887%29.png" alt="Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques"></a> <h4><a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques"><span class="underline">Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques</span></a></h4> <p>Cybereason investigated multiple intrusions targeting technology and manufacturing companies located in Asia, Europe and North America. Based on the findings of our investigation, it appears that the goal behind these intrusions was to steal sensitive intellectual property for cyber espionage purposes...</p> </div> </div> <div class="column is-6-fullhd is-6-desktop is-full-mobile blog-listing__single-post"> <div class="text-content-bundle"> <a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"><img src="https://www.cybereason.com/hubfs/strifewater.png" alt="StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations"></a> <h4><a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"><span class="underline">StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations</span></a></h4> <p>Cybereason discovered an undocumented RAT dubbed StrifeWater attributed to Iranian APT Moses Staff who deploy destructive ransomware following network infiltration and the exfiltration of sensitive data...</p> </div> </div> </div> </div> </section></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-3 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_161767462015235" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module widget-type-blog_subscribe" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-mln__blog-listing-page__subscribe-footer"> <div class="container container-is-blog columns page-center"> <div class="column is-8-fullhd is-8-desktop is-10-tablet is-12-mobile"> <span class="tag">NEWSLETTER</span> <h3>Never miss a blog</h3> <p>Get the latest research, expert insights, and security industry news.</p> <a class="cr-button cr-mln__subscribe" href="#blog-subscribe">Subscribe</a> </div>  </div> </div></div> </div> </div> </div> <div class="row-fluid-wrapper row-depth-1 row-number-4 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_166508001252918" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><div class="cr-sticky-cta-bar bg-black" id="sticky-bar"> <div class="content"> <span>Want to see the Cybereason Defense Platform in action?</span> <a class="cr-button cr-button__fill-yellow" href="https://www.cybereason.com/request-a-demo" target="_blank">Schedule a Demo</a> </div> <div class="close">X</div> </div></div> </div> </div> </div> </div> </div> <div class="footer-container-wrapper"> <div class="footer-container container-fluid"> <div class="row-fluid-wrapper row-depth-1 row-number-1 "> <div class="row-fluid "> <div class="span12 widget-span widget-type-custom_widget " style="" data-widget-type="custom_widget" data-x="0" data-w="12"> <div id="hs_cos_wrapper_module_16036762394194314" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"> <footer class="cr-section cr-footer cr-footer__full"> <div class="container page-center"> <div class="columns"> <div class="column is-6-fullhd is-5-desktop cr-footer__col cr-footer__left"> <div class="cr-footer__Left-logo"> <a href="https://www.cybereason.com"> <img src="https://www.cybereason.com/hubfs/dam/images/images-web/logos/cr-brand/cr-logo-inline--primary-white.png"> </a> </div> </div> <div class="columns column is-6-fullhd is-6-desktop cr-footer__col cr-footer__right"> <div class="cr-footer__links-list column"> <h4>About</h4> <ul> <li><a href="https://www.cybereason.com/company/who-we-are">Who We Are</a> </li><li><a href="https://www.cybereason.com/company/careers">Careers</a>  </li><li><a href="https://www.cybereason.com/company/contact-us">Contact</a> </li></ul> </div> <div class="cr-footer__links-list column"> <h4>Resources</h4> <ul> <li><a href="https://www.cybereason.com/blog">Blog</a></li> <li><a href="https://www.cybereason.com/resources/tag/case-study">Case Studies</a></li> <li><a href="https://www.cybereason.com/resources/tag/webinars">Webinars</a></li> <li><a href="https://www.cybereason.com/resources/tag/white-papers">White Papers</a></li> </ul> </div> <div class="cr-footer__links-list column"> <h4>Platform</h4> <ul> <li><a href="https://www.cybereason.com/platform">Overview</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-prevention">Endpoint Protection</a></li> <li><a href="https://www.cybereason.com/platform/endpoint-detection-response-edr">EDR</a></li> <li><a href="https://www.cybereason.com/platform/managed-detection-response-mdr">MDR</a></li> </ul> </div> </div> </div> </div> <div class="container page-center"> <div class="columns cr-footer__bottom-bar"> <div class="column"> <p>©Cybereason 2025. All Rights Reserved.</p> </div> <div class="column bottom-bar__links"> <ul> <li><a href="https://www.cybereason.com/terms-of-use">Terms of Use</a></li> <li><a href="https://www.cybereason.com/privacy-notice">Privacy Notice</a></li> <li><a href="https://www.cybereason.com/ccpa-privacy-request">Do Not Sell</a></li> <li><a href="https://www.cybereason.com/security">Security</a></li>  </ul> </div> <div class="column bottom-bar__social"> <ul> <li><a class="facebook" href="https://www.facebook.com/Cybereason/"></a></li> <li><a class="twitter" href="https://twitter.com/cybereason"></a></li> <li><a class="youtube" href="https://www.youtube.com/channel/UCOm7AaB0HiNH4Phe66sK0Ew"></a></li> <li><a class="linkedin" href="https://www.linkedin.com/company/cybereason"></a></li> <li><a class="instagram" href="https://www.instagram.com/cybereason"></a></li> </ul> </div> </div> </div> </footer></div> </div> </div> </div> </div> </div>  <script defer src="/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/template_assets/42507089303/1644440411417/__CR_Web_Platform/JS/animatedModal/animatedModal.min.js"></script> <script> var hsVars = hsVars || {}; hsVars['language'] = 'en'; </script> <script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41681847227/1644941386128/module_41681847227_CR_-_Malicious_Life_Network_--_Tier_One_Header.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/41682410610/1644941443113/module_41682410610_CR_-_Malicious_Life_Network_--_Main_Hero.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/43300360745/1724042213858/module_43300360745_CR_-_Malicious_Life_Network_--_Related_Posts.min.js"></script> <script src="https://www.cybereason.com/hs-fs/hub/3354902/hub_generated/module_assets/86933076631/1669911113440/module_86933076631_CR_-_Sticky_CTA_Bar.min.js"></script>  <script type="text/javascript"> var _hsq = _hsq || []; _hsq.push(["setContentType", "blog-post"]); _hsq.push(["setCanonicalUrl", "https:\/\/www.cybereason.com\/blog\/research\/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"]); _hsq.push(["setPageId", "36859260903"]); _hsq.push(["setContentMetadata", { "contentPageId": 36859260903, "legacyPageId": "36859260903", "contentFolderId": null, "contentGroupId": 5272851739, "abTestId": null, "languageVariantId": 36859260903, "languageCode": "en", }]); </script> <script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/3354902.js"></script>  <script type="text/javascript"> var hsVars = { render_id: "6581ff60-af40-44d3-82ca-7d297be36768", ticks: 1739087868602, page_id: 36859260903, content_group_id: 5272851739, portal_id: 3354902, app_hs_base_url: "https://app.hubspot.com", cp_hs_base_url: "https://cp.hubspot.com", language: "en", analytics_page_type: "blog-post", scp_content_type: "", analytics_page_id: "36859260903", category_id: 3, folder_id: 0, is_hubspot_user: false } </script> <script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.393/js/index.js"></script> <script>if ($('[id^="hs_form"]').length > 0) { var myInterval = setInterval( function() { var myFields = document.getElementsByClassName('hs-input'); if (myFields.length > 0) { clearInterval(myInterval); for (var i = 0; i < myFields.length; i++) { var myField = myFields[i]; var myTagName = myField.tagName.toLowerCase(); if (myTagName == 'input' || myTagName == 'textarea') { if (myField.placeholder != null) { myField.placeholder = myField.placeholder.replace('*', ''); } } else if (myTagName == 'select') { myField.options[0].innerHTML = myField.options[0].innerHTML.replace('*', ''); } } } }, 100); } </script> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_GB/sdk.js#xfbml=1&version=v3.0"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script> <script> function sticky_relocate() { var window_top = $(window).scrollTop(); var div_top = $('#sticky-anchor').offset().top; if (window_top > div_top) { $('#sticky').addClass('stick'); } else { $('#sticky').removeClass('stick'); } } $(function() { $(window).scroll(sticky_relocate); sticky_relocate(); }); </script>  <script type="text/javascript" src="/_Incapsula_Resource?SWJIYLWA=719d34d31c8e3a6e6fffd425f7e032f3&ns=2&cb=1711645178" async></script></body></html>