Share this article on:
Security researchers have uncovered an evolution in the tactics and tools used by a threat actor possibly linked to North Korea.
The Kimsuky group has been operating since at least 2013, and for most of its existence, its targets have been organisations in South Korea, but recently, researchers at the AhnLab Security Emergency Response Center (ASEC) have spotted the group targeting organisations outside of the peninsula.
Previously, the group would use spear-phishing attacks that took advantage of malicious file attachments to gain access to networks and install and deploy malware. But in a recent investigation, ASEC observed Kimsuky taking advantage of an unpatched vulnerability in a Windows IIS server to deploy its malware.
The group then used a Powershell command to begin Kimsuky’s payload. The initial payload is Metasploit, which, in turn, installs one of its own modules, Meterpreter.
“Metasploit is a penetration testing framework,” ASEC said in a blog post. “They are tools that can be used to inspect security vulnerabilities for networks and systems of companies and organisations, providing various features for each penetration test stage.
“Meterpreter is a backdoor provided by Metasploit and can perform various malicious behaviours by receiving commands from the threat actor.”
Being an open source tool, Metasploit is used by many similar threat actors, and there is a whole raft of how-to videos about the software hosted on Youtube, making it easy to learn to use.
Other changes in tactics observed by ASEC include the move to malware written in GoLang, while other tactics — such as the group’s command and control infrastructure — remain the same, meaning despite the new attack methodology, researchers can still name Kimsuky as the threat actor involved.
“What’s different than usual is that the Meterpreter Stager is developed in GoLang. In the past, the Kimsuky group developed their own malware,” ASEC wrote, “or packed it with a packer such as VMProtect when distributing the malware”.
“After a successful breach, Meterpreter was installed in the target systems for the threat actor to gain control over the web server,” ASEC said.
According to ASEC, such web server intrusions underline the need to keep servers patched and up to date.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.