Kimusky, a North Korean nation-state group, has been linked to a new wave of nefarious activities targeting political and diplomatic entities in its southern counterpart in early 2022.
The cluster was codenamed GoldDragon by Russian cybersecurity firm Kaspersky, with infection chains resulting to the implementation of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials.
South Korean university professors, think tank researchers, and government officials are among the potential victims.
Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gather intelligence on various topics of interest to the regime.
The group, which has been active since 2012, has a history of using social engineering tactics, spear-phishing, and watering hole attacks to obtain sensitive information from victims.
Late last month, cybersecurity firm Volexity linked the actor to an intelligence-gathering mission aimed at siphon email content from Gmail and AOL using Sharpext, a malicious Chrome browser extension.
The latest campaign employs a similar tactic, with the attack sequence initiated by spear-phishing messages containing macro-embedded Microsoft Word documents supposedly comprising content related to geopolitical issues in the region. Alternative initial access routes are also said to use HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys in order to compromise the system.
Whatever method is used, the initial access is followed by a remote server dropping a Visual Basic Script that is orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.
The attack is unique in that it sends the victim's email address to the command-and-control (C2) server if the recipient clicks on a link in the email to download additional documents. If the request does not include the expected email address, a harmless document is returned.
To complicate matters even further, the first-stage C2 server forwards the victim's IP address to another VBS server, which compares it to an incoming request generated after the target opens the bait document. The two C2 servers' "victim verification methodology" ensures that the VBScript is distributed only when the IP address checks are successful, indicating a highly targeted approach.
"The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this group is that it's tough to acquire a full-infection chain," Kaspersky researcher Seongsu Park concluded.