Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials. The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals. CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle. In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust. In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection. In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.

1. CloudDragon’s Credential Factory is Powering Up
Its Espionage Activities Against All the Policymakers
2022.10.28
Zih-Cing Liao, Yu-Tung Chang

2. $whoami
2
u Zih-Cing Liao aka DuckLL
u Senior Threat Intelligence Researcher @ TeamT5
u Speaker of Conferences:
Black Hat Asia, HITB, HITCON, CODE BLUE ...
u Yu-Tung Chang
u Threat Intelligence Researcher @ TeamT5
u Focus on APAC APT

3. Agenda
Introduction
01
Credential Factory
02
Case Study
03
Conclusion
04

4. Introduction

5. CloudDragon
5
u Kimsuky subgroup
u Cyber Espionage / Cyber Crime
u Phishing operation
u Malware
u JamBog (AppleSeed)
u BabyShark
u PMSDoor
u KGHRAT (KGH_SPY)

6. Target scope
6
NGO
Country
Intustry
Media Technology
Research
Education
Government

7. Credential Factory

8. Credential Factory
Vitcim List Phishing Sites Credentials Email Files
Target
Employee
External Service
Phishing Doc
Phishing Sites
Malware
Credentials
Vulnerability Intranet
Internal Service
Files
Hacktool
Credentials Target

9. Daily Cycle
Vitcim List Phishing Sites Credentials Email Files
Target
Employee
External Service
Phishing Doc
Phishing Sites
Malware
Credentials
Vulnerability Intranet
Internal Service
Files
Hacktool
Credentials Target

10. Phishing
10

11. Proxy Mirror
11
Fetch Login page
Modify Form
username
password
Real Site
Login
Sucess
./logs/{user_id}.cfm
index.php
confirm.php

12. Phishing Bot
12
ajax
Phishing Bot
Phishing Site Browser

13. Campaign Cycle
Vitcim List Phishing Sites Credentials Email Files
Target
Employee
External Service
Phishing Doc
Phishing Sites
Malware
Credentials
Vulnerability Intranet
Internal Service
Files
Hacktool
Credentials Target

14. Phishing Doc
14
TBS TV_Qs.docx Interview memo_patrick.docx
Kyodo News_Niklas.docx Upholding the RBO in the INdo-Pac.docx

15. BabyShark
15
VBS
VBS
DOTM
VBS
C2 Server
C2 Server
C2 Server
r.php
ca.php
d.php/OneDrive
recon AV info
download
fetch command
dot_eset.gif, vbs_kasp.gif,
video.gif, start1.gif, start2.gif,
secur32.gif, ...
vbtmp, battmp

16. BabyShark
16
Decrypt Function
Macro

17. BabyShark
17
u Detect and Bypass

18. AFMail
18
VBS
vbtmp
battmp
BabyShark
VBS
C2 Server
upload
ttmp.log
upload_dat_files.vbs
fetch
command
write
browser info.
C2 Server
d.php
upload.php
ps1
getChrome.ps1, getWhale.ps1, ...
ttmp.log
...
ps1
download
& execute
download
& drop
read

19. AFMail
19
u getChrome.ps1

20. AFMail
20
VBS
vbtmp
battmp
BabyShark
download
& install
C2 Server
bg.js
dev.html
manifest.json
dev.js
Preferences Secure Preferences
set background script
set devtool_page
fetch cd1.js
fetch cd2.js
load
dev.ps1
load
open DevTools
plugin.bat
json
ps1

21. AFMail
21
u manifest.json
u icon

22. AFMail
22
u cd2.js : filter target mail services

23. AFMail
23
u cd1.js : backup email and attachment to C2

24. Dust
24
u Shellcode module backdoor
u DNS version
u MD5: 48be981d814e38a00f70892e826a12f8
u PDB: D:9dustx64Releasescdll.pdb
u HTTP version
u MD5: 1bbb234b56b344222784b95cbab0fcb2

25. Dust DNS
25
Shellcode
Loader
regsvr32
XOR
Backdoor
(in memory)
Launch
prefix function
cdn connect
api send data
post get data
Base16(Enc(Data))
DNS
cdn.50a0f04191e13282d22373c31464b405.foo[.]bar

26. Dust
26
u Encryption algorithm

27. Dust HTTP
27
Shellcode
Loader
regsvr32
XOR
Backdoor
(in memory)
Launch
header
csrf-token: Base64(php code)
body
Base64(Enc(Data))
C2

28. Dust HTTP
28
u PHP code

29. Dust HTTP
29
u Dial and connect
u No persistent files
Compromised
C2
123.s
123.c
Client: 123
code + data
code + command

30. Dust
30
u Function table
command function
0 exectue shell command
1 get computer information
2 change work directory
3 inject shellcode to other process
4 setup sleep interval
5 download file
6 upload file
7 pipe data (with plugin)
8 self-terminate

31. Dust
31
u Loader + Cobalt Strike
u 2fe72ac40801ff02b1a58dac3f29c780
u C2: 10.30.0.3
u Cobalt Strike Plugin
u abd3926fd5db8294951b801e92801077
u pdb: D:9dustx64Releaseexe.pdb
u C2: 10.10.12.150
u 3bf13d241c438a5df7c6b1d4d2c2dfd6
u ITW: https://github.com/systemplugin/base
u C2: e86d-109-236-81-161.eu.ngrok.io

32. Post-exploit Cycle
Vitcim List Phishing Sites Credentials Email Files
Target
Employee
External Service
Phishing Doc
Phishing Sites
Malware
Credentials
Vulnerability Intranet
Internal Service
Files
Hacktool
Credentials Target

33. Hacktool
33
u Kimsuky develop
u screenshot
u keylogger
u credential (stealer)
u tgcd
u ngrok
u XMRig

34. Screenshot
34
ps1
1.crp
1.ps1
decrypt
screenshot
C2 Server
upload

35. Keylogger
35
ps1
VBS
2.crp
2.ps1
decrypt
keylogger
write
read
C2 Server
ttmp.log ieCert.vbs
upload

36. Credential (stealer)
36
u Triger at user login

37. AnyDesk
37
adplus.bat
system.conf
smss.bat
AnyDesk.exe
rvv.exe
VBS
func.txt
decrypt
load
drop
drop.crp
C2 Server
service.conf
load
launch
ieUpSrv.exe
ieUpdate.exe
set services
launch
fetch command
hide
install
config config
backdoor

38. Hide AnyDesk
38
u ieUpdate.exe
u PDB:
H:공유실공유ZangHideTray&Window(Any)HideTray&Window(Any)x64Rel
easeHideTray.pdb
u Hide Component
u Window
u System Tray
u Toolbar

39. Hide AnyDesk
39
u Window
u System Tray
u Toolbar

40. Hide AnyDesk
40
u Window
u System Tray
u Toolbar

41. AnyDesk Config
41
u %AppData%AnyDesk
u %ProgramData%AnyDesk system.conf
service.conf

42. AnyDesk
42
system.conf
AnyDesk.exe
service.conf
Setup config：
known id
known password
system.conf
AnyDesk.exe
service.conf
load
deploy to
config path
config config config config
AnyDesk with known credential

43. Case Study

44. KAERI
44
u Confirmed hacking incident
u Malicious VPN access

45. Phishing VPN Company
45

46. SSH Login Log
46
u Root login from C2

47. SSH Vulnerability
47
u Default root password
u 279 posseble vulnerable servers

48. Webshell
48
u session_check.jsp(MD5: 2e2037a8505900b68629081ffbb8feff)

49. Web Vulneravility
49
u upload file without permission check

50. Web Vulneravility
50
u 117 posseble vulnerable servers

51. MemzipRAT
51
u whatthe.exe(MD5: 4c45c89774d974671809116564800bf2)
Installer
Loader
Zip Resource
Drop
Write Registry
Load
Load config
Compromised
C2
Zip file
(RC4+XOR+Base64)
Backdoor
(in memory)

52. MemzipRAT
52
u Injector
u Keylogger
u Browser
u Screenshot
u Remote desktop
command argument field function
0 F-f4:fSNFW exectue shell command
1 Lp(f*f34 change dirctory
4 83hT$GT$# connect to ip port
5 LF*F434ht3 set sleep time(day)
6 f41FP-bdgr set sleep time(minute)
7 self-delete
8 841F6PbdgO inject self to other process
9 PK0F6PbdgO inject dll
10 GNEI7807H self-upgrade
11 GNEI7807H install module
12 GKPI7807H start module
14 :G$43tHogreg update config
Function Table

53. VPN-0day
53
Compromise VPN company
VPN Phishing Site
SSH key leak
Get credentail
Compromise KAERI
MemzipRAT

54. Victims
54

55. Conclusion

56. Key Takeaways
56
u The APT group CloudDragon
u Credential Factory
u Phishing & social engineering
u Target tatic & malware
u Post-exploit with legal tool
u VPN-0day case study

57. Mitigation
57
u Double check E-mail
u Check browser extenion
u Avoid using remote desktop tools
u Change product default password
u Update software to latest

58. Zih-Cing Liao
duckll@teamt5.org
THANK YOU!
Yu-Tung Chang
tako@teamt5.org

59. Reference
59
u Dmitry Tarakanov. (2013) The “Kimsuky” Operation: A North Korean APT? (https://securelist.com/thekimsuky-operation-a-north-
korean-apt/57915/)
u Mark Lim. (2019) BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and
PCRat(https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)
u Cybersecurity and Infrastructure Security Agency. (2020) North Korean Advanced Persistent Threat Focus: Kimsuky
(https://www.cisa.gov/uscert/ncas/alerts/aa20-301a )
u 360威胁情报中心. (2021) Kimsuky组织网络攻击活动追溯分析报告(https://mp.weixin.qq.com/s/pkCK1ryXvGWFuoHQk9Rahg)
u KAERI (2021) [설명자료] 시사저널 "원자력연구원, 서버 뚫렸다. 북해킹의심...은폐의혹" 기사 관련
(https://www.kaeri.re.kr/board/view?menuId=MENU00326&linkId=9181)
u AhnLab Security Emergency response Center. (2021) Analysis Report of Kimsuky Group's APT Attacks (AppleSeed, PebbleDash)
(https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf)
u Darien Huss and Selena Larson (2021) Triple Threat: North Korea-Aligned TA406 Steals, Scams and Spies
(https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-
steals-scams-spies.pdf)
u Jhih-Lin Kuo & Zih-Cing Liao (2021) "We Are About to Land": How CloudDragon Turns a Nightmare Into Reality
(https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-HowCloudDragon-Turns-A-Nightmare-Into-
Reality.pdf)

60. Reference
60
u Jhih-Lin Kuo & Zih-Cing Liao. (2021) Story of the 'Phisherman' - Dissecting Phishing Techniques of CloudDragon APT
(https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-
%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf)
u Malwarebytes LABS. (2021) Kimsuky APT continues to target South Korean government using AppleSeed backdoor
(https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-
using-appleseed-backdoor)
u AhnLab Security Emergency response Center. (2022) 발주서, 품의서를 위장한 AppleSeed 유포 (https://asec.ahnlab.com/ko/35781/)
u AhnLab Security Emergency response Center. (2022) 특정 군부대 유지보수 업체 대상으로 AppleSeed 유포
(https://asec.ahnlab.com/ko/36918/)
u John Hammond. (2022) Targeted APT Activity: BABYSHARK Is Out for Blood (https://www.huntress.com/blog/targeted-apt-activity-
babyshark-is-out-for-blood)
u Paul Rascagneres, Thomas Lancaster. (2022) SharpTongue Deploys Clever Mail-Stealing Browser Extension "SHARPEXT"
(https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/)
u Jason Reaves and Joshua Platt. (2022) Pivoting on a SharpExt to profile Kimusky panels for great good
(https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9)