EXECUTIVE SUMMARY
Kimsuky, a prolific Korean-speaking threat actor, has been conducting a series of attacks using various malware variants based on the PebbleDash platform. This campaign has been targeting organizations in South Korea, Brazil, and Germany, with a focus on the defense, military, government, medical, machinery, and energy industries. The attackers' goal is to steal sensitive information, disrupt operations, and potentially sell stolen data on the dark web. Kimsuky has been continuously updating its arsenal, incorporating new tools such as VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, and large language models (LLMs) to evade detection.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Kimsuky, a prolific Korean-speaking threat actor, has been conducting a series of attacks using various malware variants based on the PebbleDash platform. This campaign has been targeting organizations in South Korea, Brazil, and Germany, with a focus on the defense, military, government, medical, machinery, and energy industries. The attackers' goal is to steal sensitive information, disrupt operations, and potentially sell stolen data on the dark web. Kimsuky has been continuously updating its arsenal, incorporating new tools such as VSCode Tunneling, Cloudflare Quick Tunnels, DWAgent, and large language models (LLMs) to evade detection.[emaillocker id="1283"]
The malware infects systems through spear-phishing emails containing malicious attachments disguised as documents. Once inside, the malware uses various droppers to deploy payloads, including the Rust-based HelloDoor and the latest backdoor variant, httpMalice. These droppers deliver files in specific directories before executing the malware using regsvr32.exe. The attackers also use legitimate tools such as Visual Studio Code (VSCode) and DWAgent for post-exploitation activities. Kimsuky maintains control over the infected systems by hosting C2 infrastructure on domains registered at free South Korean hosting providers, occasionally hacking South Korean websites, and using tunneling tools like Ngrok or VSCode.
Kimsuky's use of PebbleDash-based tools, including HelloDoor and httpMalice, demonstrates a significant threat to organizations worldwide. These malware variants are designed to establish backdoors, steal sensitive information, and evade detection. Their use of legitimate tools and services makes them difficult to identify and mitigate. Organizations must take immediate action to protect themselves against these threats, including patching vulnerabilities, monitoring for suspicious activity, maintaining regular backups, and implementing robust endpoint protection measures.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1218.010 | System Binary Proxy Execution | Regsvr32 |
| Defense Evasion | T1218.011 | System Binary Proxy Execution | Rundll32 |
| Defense Evasion | T1027.003 | Obfuscated Files or Information | Steganography |
| Credential Access | T1552.004 | Unsecured Credentials | Private Keys |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| Command and Control | T1219 | Remote Access Software | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
[/emaillocker]