A North Korean threat actor active since 2012 has been behind a new espionage campaign targeting high-profile government officials associated with its southern counterpart to install an Android and Windows backdoor for collecting sensitive information.
Cybersecurity firm Malwarebytes attributed the activity to a threat actor tracked as Kimsuky, with the targeted entities comprising of the Ministry of Foreign Affairs, Ambassador of the Embassy of Sri Lanka to the State, International Atomic Energy Agency (IAEA) Nuclear Security Officer, and the Deputy Consul General at Korean Consulate General in Hong Kong.
The attacks also involved collecting information about other organizations and universities in the country, including the Korea Internet and Security Agency (KISA), Seoul National University, and Daishin Securities. Malwarebytes, however, noted that there is no evidence of active targeting or compromise by the adversary.
The development is only the latest in a series of surveillance efforts aimed at South Korea. Believed to be operating on behalf of the North Korean regime, Kimsuky (aka Velvet Chollima, Black Banshee, and Thallium) has a track record of singling out South Korean entities while expanding their victimology to the U.S., Russia, and various nations in Europe.
Last November, the adversary was linked to a new modular spyware suite called "KGH_SPY," which allows it to carry out reconnaissance of target networks, log keystrokes, and steal confidential information, as well as a stealthy malware under the name "CSPY Downloader" that's designed to thwart analysis and download additional payloads.
Kimsuky's attack infrastructure consists of various phishing websites that mimic well known websites such as Gmail, Microsoft Outlook, and Telegram with an aim to trick victims into entering their credentials. "This is one of the main methods used by this actor to collect email addresses that later will be used to send spear-phishing emails," Malwarebytes researcher Hossein Jazi said.
In using social engineering as a core component of its operations, the goal is to distribute a malware dropper that takes the form of a ZIP archive file attached to the emails, which ultimately leads to the deployment of an encoded DLL payload called AppleSeed, a backdoor that's been put to use by Kimsuky as early as 2019.
"Besides using the AppleSeed backdoor to target Windows users, the actor also has used an Android backdoor to target Android users," Jazi noted. "The Android backdoor can be considered as the mobile variant of the AppleSeed backdoor. It uses the same command patterns as the Windows one. Also, both Android and Windows backdoors have used the same infrastructure."
AppleSeed has all the hallmarks of a typical backdoor, with myriad capabilities to record keystrokes, capture screenshots, collect documents with specific extensions (.txt, .ppt, .hwp, .pdf, and .doc), and gather data from removable media devices connected to the machine, all of which are then uploaded to a remote command-and-control server.
But perhaps the most interesting discovery of all is that the threat actor calls themselves Thallium in the malware source code, which is the moniker assigned by Microsoft based on its tradition of naming nation-state hacking groups after chemical elements.