Nation-state actors affiliated with North Korea have been observed using spear phishing attacks to deliver various backdoors and tools (such as AppleSeed, Meterpreter, and TinyNuke) to seize control of infected machines.
South Korean cybersecurity company AhnLab attributed the activity to an advanced persistent threat group called “AhnLab” Kim Soo-ki.
“One thing to note about the attacks using AppleSeed is that similar attack methods have been used for many years without significant incident with the malware used,” the AhnLab Security Emergency Center (ASEC) said in an analysis released Thursday. Variety.”
Kimsuky has been active for more than a decade and is known for targeting various entities within South Korea, expanding its focus to other regions in 2017. Late last month, it was sanctioned by the U.S. government for collecting intelligence supporting North Korea. South Korea’s strategic goals.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
Threat actors’ espionage is accomplished through spear-phishing attacks containing malicious bait files, which, once opened, ultimately deploy various malware families.
One well-known Windows-based backdoor used by Kimsuky is AppleSeed (aka JamBog), a DLL malware that has been in use since May 2019 and has been updated to an Android version as well as a malware called New variant of AlphaSeed.
AppleSeed is designed to receive commands from attacker-controlled servers, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. AlphaSeed, like AppleSeed, has similar functionality, but there are some important differences.
“AlphaSeed is developed in Golang and uses chromedp and [command-and-control] ASEC said this is in sharp contrast to AppleSeed, which relies on the HTTP or SMTP protocols. Chromedp is a popular Golang library for interacting with the Google Chrome browser in headless mode via the DevTools protocol.
There is evidence that Kimsuky has been using AlphaSeed in attacks since October 2022, with some of these intrusions delivering AppleSeed and AlphaSeed via a JavaScript dropper on the same target system.
The attackers also deployed Meterpreter and VNC malware, such as TightVNC and TinyNuke (also known as Nuclear Bot), which can be used to take control of affected systems.
Nisos said it discovered online personas on LinkedIn and GitHub that may have been used by North Korean information technology (IT) workers to fraudulently obtain remote employment opportunities from U.S. companies and serve as a source of revenue for the regime. Help fund its economic and security priorities.
“These characters often claim to be proficient in developing several different types of applications and have experience processing cryptocurrency and blockchain transactions,” the threat intelligence firm said in a report released earlier this month.
“Additionally, all roles were seeking remote-only positions in technology fields, with a particular focus on acquiring new employment opportunities. Many accounts were only active for a short period of time before being disabled.”
In recent years, North Korean actors have launched a series of multi-pronged attacks that combine novel tactics and supply chain vulnerabilities to target blockchain and cryptocurrency companies to facilitate the theft of intellectual property and virtual assets.
The frequency and aggressiveness of the attacks illustrate the different ways in which the country is seeking to evade international sanctions and illegally profit from these schemes.
“People tend to think, …how can Hermit Kingdom be a serious player from an online perspective?” CrowdStrike’s Adam Meyers told Politico. “But the reality couldn’t be further from the truth.”
