A North Korean state-sponsored group, Kimsuky, conducted a sophisticated cyber-espionage campaign against a Western European weapons manufacturer, revealed in May 2024. The operation featured new espionage tools, a deceptive General Dynamics lure, spear-phishing with a JavaScript attachment, decoy documents, encoded payloads, persistence techniques, and a C2 infrastructure linked to Kimsuky. #Kimsuky #GeneralDynamics #StarkIndustries #WesternEuropeanWeaponsManufacturer
Keypoints
- The attack was released on LinkedIn and discovered on May 16, 2024, targeting a Western European weapons manufacturer.
- The Kimsuky group introduced novel espionage tools as part of this campaign.
- The primary target underscores the defense sector’s strategic value in cyber espionage.
- The attackers used the “General Dynamics” brand as a visual lure to deceive victims.
- Spear-phishing delivered a malicious JavaScript attachment named “Safety Manager JD (General Dynamics HR Division II).jse” to employees.
- Execution involved decoding two base64 blocks: a decoy PDF and a malicious payload, with the payload designed to run covertly and include persistence and data-exfiltration capabilities.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The attack began with a spear-phishing email sent to employees of the targeted organization. “…The attack began with a spear-phishing email sent to employees of the targeted organization.” The email contained a malicious JavaScript file attachment named “Safety Manager JD (General Dynamics HR Division II).jse.”
- [T1059.007] JavaScript – The malicious JavaScript file attachment is used to deliver the payload. “…The email contained a malicious JavaScript file attachment named ‘Safety Manager JD (General Dynamics HR Division II).jse.’”
- [T1132] Data Encoding – The executable library was encoded with double base64 to conceal payload and functionality. “…encoded with double base64, included functions for remote execution by the attacker.”
- [T1543.003] Create or Modify System Process: Windows Service – For persistence, a new service named “CacheDB” was created with start=auto. “…To ensure persistence, the program created a new service called “CacheDB” with the start=auto parameter…”
- [T1112] Modify Registry – The malware inscribed itself in the system registry to maintain startup. “…inscribed itself in the system registry key, ensuring it launched every time it rebooted.”
- [T1071.001] Web Protocols – C2 communication used a unique identifier and a browser-like User-Agent to blend in with legitimate traffic. “…a User-Agent string that mimicked a legitimate browser.”
- [T1083] Directory Discovery – The tool enumerated directories and files on the compromised system. “…Enumerating directories and files and exfiltrating information to the C2 server.”
- [T1057] Process Discovery – The tool retrieved the full path of running processes. “…Retrieving the full path of running processes.”
- [T1113] Screen Capture – The tool captured and exfiltrated screenshots. “…Capturing and exfiltrating screenshots.”
- [T1105] Ingress Tool Transfer – The attacker downloaded secondary payloads to expand capability. “…downloading secondary payloads.”
- [T1070.004] File Deletion – The program removed itself and cleaned up traces, including registry entries. “…removing itself from the compromised system, including cleaning up registry entries.”
- [T1041] Exfiltration Over C2 Channel – Exfiltrated data to the C2 server. “…exfiltrating information to the C2 server.”
Indicators of Compromise
- [SHA-256] hash – 24A42A912C6AD98AB3910CB1E031EDBDF9ED6F452371D5696006C9CF24319147
- [MD5] hash – 8346D90508B5D41D151B7098C7A3E868
- [Domain/URL] – hxxp://download.uberlingen[.]com/index[.]php
Read more: https://gbhackers.com/north-korean-kimsuky-attacking/