More suspected North Korean malware identified after US alert on Kimsuky hackers

Researchers say they combined government data with their own findings to identify previously undocumented spyware.
Pyongyang, North Korea
(Getty Images)

Security researchers say they uncovered more tools associated with a North Korea-linked cyber-espionage group that was the subject of a U.S. government alert last week.

The previously undocumented malware and server infrastructure appear to be the work of Kimsuky, an advanced persistent threat (APT) group, according to the researchers with Boston-based Cybereason. U.S. military and civilian agencies issued a joint warning about the APT on Oct. 27, saying the current threat was greatest for “commercial sector businesses,” although Kimsuky has often targeted government agencies, think tanks and other organizations connected to geopolitics.

Organizations in the U.S., Europe, Japan, South Korea and Russia appear to be the targets, Cybereason says. Kimsuky also has a history of trying to gather intelligence about sanctions, nuclear policy and other issues salient to the Korean Peninsula. A U.N. Security Council report earlier this year said Kimsuky appeared to be behind hacking attempts against the international body.

Kimsuky typically tries to deliver its malware through phishing or spearphishing attempts. Researchers at Palo Alto Networks reported in February 2019 that initial instances of BabyShark were delivered as email file attachments.


Cybereason said Moday that after publication of the U.S. government alert, researchers on its Nocturnus threat intelligence team were able to combine the government’s findings with their own to identify spyware dubbed “KGH_SPY,” as well as a separate piece of payload-delivery malware called “CSPY_Loader” and server infrastructure “that shows clear overlaps with Kimsuky’s previously reported infrastructure.”

The research serves as a reminder that APT groups are constantly develop new tools, and variations of older ones. KGH_SPY provides “reconnaissance, keylogging, information stealing and backdoor capabilities,” while the key feature of CSPY_Loader is its ability to evade analysis and deliver other malware, Cybereason says. The company also says the newly discovered server infrastructure appears to overlap with “BabyShark,” malware that has been tied to suspected North Korean activity, including espionage on think tanks.

KGH_SPY steals information — including user credentials — in web browsers and other software, the researchers say. They’re unsure if the CSPY_Loader malware has been used to deliver KGH_SPY, but evidence points to Kimsuky for both.

“We did not observe the two tools in conjunction, however, it doesn’t mean that they weren’t used in conjunction before,” says Assaf Dahan, head of threat research at Cybereason. “Moreover, it seems like both tools are part of the same infrastructure, they have code and TTPs similarities. Based on that, one can hypothesize that they could have been developed by the same team.”

Cybereason has “moderate-high level of certainty” that the activities it describes match up with previous reports about Kimsuky, Dahan says. The group is also known as Velvet Chollima, Thallium and Black Banshee.

Latest Podcasts