Every move they make, every law they break, will have been observed and analyzed by a cybersecurity firm’s AI/ML technology.

Advanced persistent threat group TA406, widely associated with a North Korean threat actor Kimsuky known for engaging in espionage, cybercrime, sextortion, malware and credential harvesting campaigns, has been active throughout H1 2021 targeting foreign policy experts, journalists and non-governmental organizations with credential theft campaigns in almost weekly campaigns.

A new report on their nefarious activities has been released by Proofpoint that details several examples of each genre of cybercriminal activity, including two implants used by TA406 that have not been discussed before in open source reporting. The report also provides evidence that TA406 conducts financially motivated campaigns, including cryptocurrency and sextortion. 

One of the campaigns detailed in the report occurred around March 2021 at the time of the North Korean missile tests: the campaign had targeted several organizations and individuals not previously observed as targets for TA406, including some of the highest-ranking elected officials of several different governmental institutions; an employee at a consulting firm; government institutions related to defense, law enforcement and more.

The threat group uses its own registered and controlled infrastructure to host credential capture web pages and malicious documents, and also uses a limited number of legitimate, compromised websites as infrastructure.

To distribute phishing lures, they use a mixture of Gmail, Yandex and Mail[.]ru email accounts masquerading as legitimate government or non-profit entities in addition to custom message-sending tools such as Star and a PHP-based PHPMailer too.

URLs in their phishing emails link to the SendGrid email delivery service that redirect to an attacker-controlled domain hosting the malicious payload or a credential-harvesting page. Their email threat campaigns appear to focus primarily on corporate credential capture. However, Proofpoint has identified multiple recent TA406 malware campaigns that may have had information-gathering objectives.

Previous campaigns likely associated with TA406 have distributed Remote Access Trojans likely used in data theft and reconnaissance operations: these malware include KONNI, SANNY and CARROTBAT.

The cybersecurity firm anticipates that TA406 will continue to conduct frequent corporate credential theft operations, targeting entities of interest to North Korea.