The Kimsuky advanced persistent threat (APT) is expected to target more APAC countries in the near future

Nearly 10 years since Kaspersky experts unmasked an active cyberespionage campaign primarily targeting South Korean think tanks, the state-sponsored group dubbed as Kimsuky continues to show prolific updating of tools and tactics.

Also known as Thallium, Black Banshee and Velvet Chollima, Kimsuky has continuously configured multi-stage command and control servers (C2) with various commercial hosting services located around the world.

According to the firm’s Lead Security Researcher for Global Research and Analysis Team (GReAT): “From fewer than 100 C2 servers in 2019, Kimsuky now has 603 malicious command centers as of July this year which clearly suggests that the threat actor is posed to launch more attacks, possibly beyond the Korean peninsula. Its history suggests that government agencies, diplomatic entities, media, and even cryptocurrency businesses in APAC should be on high alert against this stealthy threat.”

Kimsuky’s GoldDragon cluster
The skyrocketing number of C2 servers is part of Kimsuky’s continuous operations in the Asia Pacific region and beyond. In early 2022, Kaspersky’s team of experts have observed another wave of attacks targeting journalists and diplomatic and academic entities in South Korea.

Dubbed as the “GoldDragon” cluster, the threat actor initiated the infection chain by sending a spearphishing email containing a macro-embedded Word document. Various examples of different Word documents used for this new attack were uncovered, each showing different decoy contents related to geopolitical issues in the Korean Peninsula.

Another notable Kimsuky technique is the diligence to verify the identity of specific targeted victims and using only the most relevant spearphishing email headings. Phishing emails could have headings ranging from “the agenda of the 2022 Asian Leadership Conference” to matters associated with an “Australian diplomat’s curriculum vitae”.

Park added: “The Kimsuky group continuously evolves malware infection schemes and adopts novel techniques to hinder analysis. The difficulty in tracking this group is that it’s tough to acquire a full-infection chain. Most recently, threat actors adopted victim verification methodology in their C2  servers. Despite the difficulty of getting server-side objects, if we analyze an attacker’s server and malware from the victim’s side, we can fully understand how the threat actors operate their infrastructure and what kind of techniques they employ.”