Threat Research

Kimsuky and Lazarus Coordinated Campaign

Securonix
Kimsuky and Lazarus Coordinated Campaign

Kimsuky and Lazarus operate as a coordinated pair — Kimsuky conducts precise espionage via academic-themed spearphishing to collect network maps and credentials, while Lazarus exploits zero-day vulnerabilities to escalate privileges and steal cryptocurrency. The collaboration uses shared C2 infrastructure, bespoke backdoors (e.g., FPSpy, InvisibleFerret) and evasive techniques to exfiltrate intelligence and millions in crypto with minimal detection. #Kimsuky #Lazarus

Keypoints

  • Kimsuky uses highly tailored academic-themed spearphishing (malicious HWP and MSC attachments) to harvest credentials, reconnaissance data, and deploy the FPSpy backdoor and KLogEXE keylogger.
  • Lazarus leverages zero-day Windows privilege-escalation (notably CVE-2024-38193) and malicious Node.js packages to gain SYSTEM privileges and deploy InvisibleFerret for wallet theft.
  • The two groups share intelligence, infrastructure (jump hosts and overlapping C2 IPs/domains) and tools, forming an “intelligence + financial theft” operational model under DPRK control.
  • Attacks use multiple defense-evasion techniques: encrypted/HTTP-like C2 traffic, multi-layer packing (Fudmodule), domain rotation, and anti-EDR capabilities to avoid detection.
  • High-impact results include rapid exfiltration of sensitive documents and thefts of cryptocurrency (examples cited: $32M in a single incident; over $120M cumulative since 2024).
  • Trend Micro recommends combined “intelligence defense + technical protections”: validate academic invitations, harden wallets (hardware wallets), patch high-risk Windows vulnerabilities, and monitor C2/IOC indicators.

MITRE Techniques

  • [T1566 ] Phishing – Kimsuky sent targeted academic invitation emails with malicious attachments to gain initial access (‘the attachment was an HWP “agenda” which actually concealed the FPSpy backdoor’).
  • [T1056 ] Input Capture (Keylogging) – Attackers used KLogEXE to capture keystrokes and harvest email passwords (‘the backdoor silently launches the KLogEXE keylogger to steal email passwords and meeting records’).
  • [T1068 ] Exploitation for Privilege Escalation – Lazarus exploited a Windows zero-day (CVE-2024-38193) to escalate to SYSTEM and deploy backdoors (‘used the Windows zero-day CVE-2024-38193 … after extracting the Node.js package, attackers immediately obtained SYSTEM privileges’).
  • [T1059 ] Command and Scripting Interpreter – A malicious Node.js project file was delivered and executed by staff who treated it as an open-source toolkit (‘the malicious Node.js project file was mistaken for an “open-source toolkit” and decompressed, giving attackers SYSTEM’).
  • [T1105 ] Ingress Tool Transfer – Attackers transferred and staged tools/backdoors (InvisibleFerret, BeaverTail, MoonPeak) inside victim networks as part of the attack chain (‘deploy InvisibleFerret backdoor … call BeaverTail tool to steal wallet keys and transactions’).
  • [T1547 ] Boot or Logon Autostart Execution (Persistence) – Remote access tools and backdoors (MoonPeak, InvisibleFerret) were used to maintain long-term footholds and masquerade as legitimate processes (‘MoonPeak can disguise as a system update process, enabling screen monitoring and file theft’).
  • [T1027 ] Obfuscated Files or Information – Malware used multi-layer packing and obfuscation (Fudmodule, multiple packers) to evade static detections (‘malicious files adopt multi-layer packing, showing as normal office software in static scans’).
  • [T1071 ] Application Layer Protocol – C2 communications were encrypted and disguised as normal HTTP traffic to blend with legitimate network flows (‘communication traffic encrypted and disguised as normal HTTP requests, making it hard for flow analysis tools to detect’).
  • [T1041 ] Exfiltration Over C2 Channel – Stolen credentials, network maps, and wallet keys were exfiltrated to shared C2 servers controlled by the attackers (‘stolen enterprise network maps and permissions were synchronized to Lazarus’s attack terminals’).
  • [T1078 ] Valid Accounts – Stolen credentials were reused to access domain controllers and move laterally within the environment (‘using stolen credentials to log into domain controllers and push malware via modified group policies’).
  • [T1484 ] Domain Policy Modification – Adversaries altered group policy to distribute malware across endpoints and accelerate lateral movement (‘modify group policy to push malicious software to other endpoints, allowing rapid compromise of core servers’).

Indicators of Compromise

  • [File Hashes ] malicious payloads – FPSpy MD5: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6, InvisibleFerret MD5: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1.
  • [IP Addresses ] shared C2 infrastructure – reported C2 IP: 192.168.xxx.xxx (noted overlap with 2014 Korean nuclear facility attack infrastructure).
  • [Domains ] impersonation and C2 – academic lure domain: academic-symposium[.]info; attackers also used rotating domains masquerading as e-commerce/news sites.
  • [File Names / Attachments ] initial access vectors – malicious HWP “conference agenda” and MSC files used to deliver FPSpy and other payloads; malicious Node.js project file used to trigger privilege escalation.
  • [Processes / Paths ] suspicious behavior indicators – HWP files triggering winlogon.exe calls; abnormal process access to blockchain wallet directories such as %APPDATA%MetaMask.
  • [Vulnerabilities ] exploited CVE – CVE-2024-38193 (Windows accessibility driver privilege escalation) used to obtain SYSTEM privileges and deploy InvisibleFerret.

Read more: https://cn-sec.com/archives/4704912.html