Yonatan Striem-Amit, CTO and co-founder at Cybereason, discussed Kimsuky "KGH_Spy" Suite and "CSPY downloader."
Kimsuky is a North Korean Cyber espionage group which has been active since 2012. Their target has been expanded from Korean peninsula to US and European countries. The observed targets are COIVD-19 related research companies, Think Tanks, Human Right Groups, South Korean Military, etc. The infrastructure of Kimsuky consists with phishing campaign and RATs, Remote access took kits. The method of detection evasion is backdating or timestomping by changing dates to 2015, 2016 from 2020 to evade the forensic investigation.
Cybereason Nocturnus discovered KGH_SPY and CSPY Downloader. KGH_SPY is a kit that gives the operator full control of your computer by executing a filess malware. CSPY is a tool designed to evade analysis. It installs a small beacon and once it is executed, it starts the cascading effect of downloading more content from the internet. It has built-in evasion techniques by using stolen signed signature.
The take-home lessons from this research findings are first, IT hygiene and user training so they don't fall prey into the traps. Second, adopt endpoint protections which is effective detecting Kimsuky malware and spyware. Lastly, be vigilant.
Sources
https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
https://thecyberwire.com/podcasts/research-saturday/168/notes
No comments:
Post a Comment