Threat Research

APT Profile: Kimsuky – Cyfirma

Cyfirma

Kimsuky (aka APT43) is a North Korean threat group active since 2018 that focuses on espionage and financially motivated cybercrime across multiple technologies and regions. Its recent activity includes a malicious Chrome extension (TRANSLATEXT), a Linux backdoor (Gomir), and social-engineering campaigns like spear-phishing and watering hole attacks. #Kimsuky #APT43 #TRANSLATEXT #Gomir #xRAT #RandomQuery #GoldDragon #ChromeExtension #SouthKorea #NATO

Keypoints

  • Group Name: Kimsuky (also known as APT43)
  • Motivation: Espionage and financial gain
  • Target Technologies: Office suites, operating systems, and web applications
  • Targeted Countries: South Korea, the United States, Japan, Vietnam, and NATO-affiliated European nations
  • Recently Exploited Vulnerabilities: CVE-2024-21338, CVE-2021-44228, CVE-2017-17215, CVE-2017-11882, CVE-2020-0787, CVE-2017-0199, CVE-2017-0144
  • Malware Used: RandomQuery, xRAT, Gold Dragon
  • Recent Campaigns: TRANSLATEXT Chrome extension targeting South Korean academia; Gomir Linux backdoor delivered via trojanized installers; ongoing use of spear-phishing and watering hole tactics

MITRE Techniques

  • [T1594] Reconnaissance – Gathering information about potential targets. ‘Gathering information about potential targets.’
  • [T1053.005] Execution – Executing malicious code on target systems. ‘Executing malicious code on target systems.’
  • [T1027] Defense Evasion – Obfuscating malware to evade detection. ‘Obfuscating malware to evade detection.’
  • [T1550.002] Lateral Movement – Moving within networks to access additional systems. ‘Moving within networks to access additional systems.’
  • [T1016] Discovery – Identifying network and system information. ‘Identifying network and system information.’
  • [T1040] Collection – Gathering sensitive information from compromised systems. ‘Gathering sensitive information from compromised systems.’
  • [T1071.001] Command and Control – Establishing communication with compromised systems. ‘Establishing communication with compromised systems.’
  • [T1543.003] Privilege Escalation – Gaining elevated access to systems. ‘Gaining elevated access to systems.’
  • [T1190] Initial Access – Gaining entry into victim networks. ‘Gaining entry into victim networks.’
  • [T1111] Credential Access – Stealing user credentials for further access. ‘Stealing user credentials for further access.’
  • [T1041] Exfiltration – Transferring stolen data out of the network. ‘Transferring stolen data out of the network.’

Indicators of Compromise

  • [Domain] Attacker-controlled GitHub repository hosting the TRANSLATEXT extension – github.com
  • [Malware] RandomQuery, xRAT, and Gold Dragon – used by Kimsuky
  • [Backdoor] Gomir – Linux backdoor (variant of GoBear) delivered via trojanized installers
  • [File/Extension] TRANSLATEXT Chrome extension – malicious Chrome extension

Read more: https://www.cyfirma.com/research/apt-profile-kimsuky/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint