Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
Similar to [cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activities Against All the Policymakers by Zih-Cing Liao and Yu-Tung Chang
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...PROIDEA
Similar to [cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activities Against All the Policymakers by Zih-Cing Liao and Yu-Tung Chang (20)
OSCamp Kubernetes 2024 | A Tester's Guide to CI_CD as an Automated Quality Co...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activities Against All the Policymakers by Zih-Cing Liao and Yu-Tung Chang
1. CloudDragon’s Credential Factory is Powering Up
Its Espionage Activities Against All the Policymakers
2022.10.28
Zih-Cing Liao, Yu-Tung Chang
2. $whoami
2
u Zih-Cing Liao aka DuckLL
u Senior Threat Intelligence Researcher @ TeamT5
u Speaker of Conferences:
Black Hat Asia, HITB, HITCON, CODE BLUE ...
u Yu-Tung Chang
u Threat Intelligence Researcher @ TeamT5
u Focus on APAC APT
5. CloudDragon
5
u Kimsuky subgroup
u Cyber Espionage / Cyber Crime
u Phishing operation
u Malware
u JamBog (AppleSeed)
u BabyShark
u PMSDoor
u KGHRAT (KGH_SPY)
24. Dust
24
u Shellcode module backdoor
u DNS version
u MD5: 48be981d814e38a00f70892e826a12f8
u PDB: D:9dustx64Releasescdll.pdb
u HTTP version
u MD5: 1bbb234b56b344222784b95cbab0fcb2
29. Dust HTTP
29
u Dial and connect
u No persistent files
Compromised
C2
123.s
123.c
Client: 123
code + data
code + command
30. Dust
30
u Function table
command function
0 exectue shell command
1 get computer information
2 change work directory
3 inject shellcode to other process
4 setup sleep interval
5 download file
6 upload file
7 pipe data (with plugin)
8 self-terminate
31. Dust
31
u Loader + Cobalt Strike
u 2fe72ac40801ff02b1a58dac3f29c780
u C2: 10.30.0.3
u Cobalt Strike Plugin
u abd3926fd5db8294951b801e92801077
u pdb: D:9dustx64Releaseexe.pdb
u C2: 10.10.12.150
u 3bf13d241c438a5df7c6b1d4d2c2dfd6
u ITW: https://github.com/systemplugin/base
u C2: e86d-109-236-81-161.eu.ngrok.io
32. Post-exploit Cycle
Vitcim List Phishing Sites Credentials Email Files
Target
Employee
External Service
Phishing Doc
Phishing Sites
Malware
Credentials
Vulnerability Intranet
Internal Service
Files
Hacktool
Credentials Target
38. Hide AnyDesk
38
u ieUpdate.exe
u PDB:
H:공유실공유ZangHideTray&Window(Any)HideTray&Window(Any)x64Rel
easeHideTray.pdb
u Hide Component
u Window
u System Tray
u Toolbar
52. MemzipRAT
52
u Injector
u Keylogger
u Browser
u Screenshot
u Remote desktop
command argument field function
0 F-f4:fSNFW exectue shell command
1 Lp(f*f34 change dirctory
4 83hT$GT$# connect to ip port
5 LF*F434ht3 set sleep time(day)
6 f41FP-bdgr set sleep time(minute)
7 self-delete
8 841F6PbdgO inject self to other process
9 PK0F6PbdgO inject dll
10 GNEI7807H self-upgrade
11 GNEI7807H install module
12 GKPI7807H start module
14 :G$43tHogreg update config
Function Table
56. Key Takeaways
56
u The APT group CloudDragon
u Credential Factory
u Phishing & social engineering
u Target tatic & malware
u Post-exploit with legal tool
u VPN-0day case study
57. Mitigation
57
u Double check E-mail
u Check browser extenion
u Avoid using remote desktop tools
u Change product default password
u Update software to latest
59. Reference
59
u Dmitry Tarakanov. (2013) The “Kimsuky” Operation: A North Korean APT? (https://securelist.com/thekimsuky-operation-a-north-
korean-apt/57915/)
u Mark Lim. (2019) BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and
PCRat(https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)
u Cybersecurity and Infrastructure Security Agency. (2020) North Korean Advanced Persistent Threat Focus: Kimsuky
(https://www.cisa.gov/uscert/ncas/alerts/aa20-301a )
u 360威胁情报中心. (2021) Kimsuky组织网络攻击活动追溯分析报告(https://mp.weixin.qq.com/s/pkCK1ryXvGWFuoHQk9Rahg)
u KAERI (2021) [설명자료] 시사저널 "원자력연구원, 서버 뚫렸다. 북해킹의심...은폐의혹" 기사 관련
(https://www.kaeri.re.kr/board/view?menuId=MENU00326&linkId=9181)
u AhnLab Security Emergency response Center. (2021) Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)
(https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf)
u Darien Huss and Selena Larson (2021) Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies
(https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-
steals-scams-spies.pdf)
u Jhih-Lin Kuo & Zih-Cing Liao (2021) "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
(https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-HowCloudDragon-Turns-A-Nightmare-Into-
Reality.pdf)
60. Reference
60
u Jhih-Lin Kuo & Zih-Cing Liao. (2021) Story of the 'Phisherman' - Dissecting Phishing Techniques of CloudDragon APT
(https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-
%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf)
u Malwarebytes LABS. (2021) Kimsuky APT continues to target South Korean government using AppleSeed backdoor
(https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-
using-appleseed-backdoor)
u AhnLab Security Emergency response Center. (2022) 발주서, 품의서를 위장한 AppleSeed 유포 (https://asec.ahnlab.com/ko/35781/)
u AhnLab Security Emergency response Center. (2022) 특정 군부대 유지보수 업체 대상으로 AppleSeed 유포
(https://asec.ahnlab.com/ko/36918/)
u John Hammond. (2022) Targeted APT Activity: BABYSHARK Is Out for Blood (https://www.huntress.com/blog/targeted-apt-activity-
babyshark-is-out-for-blood)
u Paul Rascagneres, Thomas Lancaster. (2022) SharpTongue Deploys Clever Mail-Stealing Browser Extension "SHARPEXT"
(https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/)
u Jason Reaves and Joshua Platt. (2022) Pivoting on a SharpExt to profile Kimusky panels for great good
(https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9)