The Kimsuky group used generative AI (ChatGPT) to create deepfake images of South Korean military ID cards and incorporated them into spear-phishing campaigns that deployed obfuscated scripts and AutoIt-based payloads to contact C2 servers. Affected targets include South Korean military agencies and portal companies, highlighting the need for EDR adoption and improved endpoint detection to counter obfuscated multi-stage attacks. #Kimsuky #ChatGPT
Keypoints
- Kimsuky leveraged generative AI (ChatGPT) to produce deepfake military ID images used in targeted spear-phishing emails.
- Attackers used LNK shortcuts, obfuscated batch/PowerShell commands, and AutoIt-compiled executables to achieve multi-stage execution and persistence.
- Phishing lure templates impersonated South Korean portal security alerts and military ID issuance workflows, directing victims to C2 domains like liveml.cafe24[.]com and jiwooeng.co[.]kr.
- Obfuscation techniques included environment-variable string slicing, Vigenère-like character encryption, and comment/padding camouflage in Python to evade AV and static analysis.
- Payloads registered scheduled tasks (e.g., HncAutoUpdateTaskMachine) and used periodic C2 polling to download additional components and exfiltrate or enable remote control.
- Similar TTPs were observed across multiple campaigns (ClickFix, credential theft, HWP attachment lures) with overlapping indicators and identifiers like “Start_juice” and “Eextract_juice.”
- Adoption of EDR with behavior-based detection is crucial to detect the entire execution chain despite time delays and obfuscation techniques.
MITRE Techniques
- [T1566 ] Phishing – Spear-phishing emails impersonating military institutions and portal security alerts to deliver malicious LNK or links (“spear-phishing attack impersonating the Kimsuky group… disguised as if it were handling ID issuance tasks”).
- [T1003 ] Credential Dumping – Attempted credential theft via phishing campaigns that directed victims to credential-harvesting pages (“Credential theft phishing attacks were also observed…”).
- [T1071 ] Command and Control – Communication with C2 servers using obfuscated scripts and periodic polling to download additional payloads (“script communicated periodically with the ‘jiwooeng.co[.]kr’ C2 server and executed new batch file commands”).
- [T1203 ] Execution – Execution of malicious PowerShell, batch, and AutoIt-compiled executables triggered by LNK shortcuts and cmd.exe invocation (decoded PowerShell command attempted to connect to the ‘private.php’ C2 server and downloaded files executed from %Temp%).
- [T1027 ] Obfuscated Files or Information – Use of string slicing, Vigenère-like character-level encryption, comment camouflage, and XOR/base64 transformations to hinder analysis (“environment variable ‘ab901ab’… obfuscated characters… decompiled AutoIt script was obfuscated… function ‘msdbvxez()’ implements a character-level encryption method”).
Indicators of Compromise
- [domain ] C2 infrastructure and phishing redirect – liveml.cafe24[.]com, jiwooeng.co[.]kr
- [domain ] Additional C2/hosting used in campaigns – snuopel.cafe24[.]com, guideline.or[.]kr
- [file name ] Malicious payloads and installers – HncUpdateTray.exe (AutoIt3 disguised as Hancom update), config.bin (compiled AutoIt script)
- [file name ] Malicious shortcuts and batch scripts – 공무원증 초안(***).lnk (Government_ID_Draft(***).lnk), LhUdPC3G.bat, tempprivate0082.bat
- [url ] External download hosts – versonnex74[.]fr (attachment download link)
- [ip address ] Observed sending/hosting IPs – 183.111.161[.]96 (KR), 51.158.21[.]1 (FR)
- [other ] Additional C2 examples and failover hosts – hyounwoolab[.]com, dangol[.]pro, guideline.or[.]kr, and pcloud[.]com referenced for data hosting
https://www.genians.co.kr/en/blog/threat_intelligence/deepfake