Skip to content

G0094 Kimsuky

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.12345

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).678

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Item Value
ID G0094
Associated Names STOLEN PENCIL, Thallium, Black Banshee, Velvet Chollima
Version 3.1
Created 26 August 2019
Last Modified 23 March 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
STOLEN PENCIL 6
Thallium 34
Black Banshee 34
Velvet Chollima 10114

Techniques Used

Domain ID Name Use
enterprise T1098 Account Manipulation Kimsuky has added accounts to specific groups with net localgroup.12
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Kimsuky has registered domains to spoof targeted organizations and trusted third parties.111653412
enterprise T1583.004 Server Kimsuky has purchased hosting servers with virtual currency and prepaid cards.12
enterprise T1583.006 Web Services Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.13
enterprise T1557 Adversary-in-the-Middle Kimsuky has used modified versions of PHProxy to examine web traffic between the victim and the accessed website.5
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Kimsuky has used HTTP GET and POST requests for C2.13
enterprise T1071.002 File Transfer Protocols Kimsuky has used FTP to download additional malware to the target machine.15
enterprise T1071.003 Mail Protocols Kimsuky has used e-mail to send exfiltrated data to C2 servers.5
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Kimsuky has used QuickZip to archive stolen files before exfiltration.13
enterprise T1560.003 Archive via Custom Method Kimsuky has used RC4 encryption before exfil.9
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Kimsuky has placed scripts in the startup folder for persistence and modified the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Registry key.95141312
enterprise T1176 Browser Extensions Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.106
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Kimsuky has executed a variety of PowerShell scripts.151312
enterprise T1059.003 Windows Command Shell Kimsuky has executed Windows commands by using cmd and running batch scripts.1312
enterprise T1059.005 Visual Basic Kimsuky has used Visual Basic to download malicious payloads.11151413 Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.13
enterprise T1059.006 Python Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.512
enterprise T1059.007 JavaScript Kimsuky has used JScript for logging and downloading additional tools.155
enterprise T1586 Compromise Accounts -
enterprise T1586.002 Email Accounts Kimsuky has compromised email accounts to send spearphishing e-mails.154
enterprise T1584 Compromise Infrastructure -
enterprise T1584.001 Domains Kimsuky has compromised legitimate sites and used them to distribute malware.12
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Kimsuky has created accounts with net user.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Kimsuky has created new services for persistence.95
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft’s WebBrowserPassView tool to dump the passwords obtained from victims.105613
enterprise T1005 Data from Local System Kimsuky has collected Office, PDF, and HWP documents from its victims.913
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.513
enterprise T1140 Deobfuscate/Decode Files or Information Kimsuky has decoded malicious VBScripts using Base64.13
enterprise T1587 Develop Capabilities Kimsuky created and used a mailing toolkit to use in spearphishing attacks.15
enterprise T1587.001 Malware Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.1213
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.12
enterprise T1114.003 Email Forwarding Rule Kimsuky has set auto-forward rules on victim’s e-mail accounts.5
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.12
enterprise T1585.002 Email Accounts Kimsuky has created email accounts for phishing operations.12
enterprise T1546 Event Triggered Execution -
enterprise T1546.001 Change Default File Association Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.9
enterprise T1041 Exfiltration Over C2 Channel Kimsuky has exfiltrated data over its C2 channel.913
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.13
enterprise T1190 Exploit Public-Facing Application Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.12
enterprise T1133 External Remote Services Kimsuky has used RDP to establish persistence.5
enterprise T1083 File and Directory Discovery Kimsuky has the ability to enumerate all files and directories on an infected system.91312
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses Kimsuky has collected valid email addresses that were subsequently used in spearphishing campaigns.4
enterprise T1589.003 Employee Names Kimsuky has collected victim employee name information.12
enterprise T1591 Gather Victim Org Information Kimsuky has collected victim organization information including but not limited to organization hierarchy, functions, press releases, and others.12
enterprise T1564 Hide Artifacts -
enterprise T1564.002 Hidden Users Kimsuky has run reg add ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList’ /v to hide a newly created user.12
enterprise T1564.003 Hidden Window Kimsuky has used an information gathering module that will hide an AV software window from the victim.13
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.913
enterprise T1562.004 Disable or Modify System Firewall Kimsuky has been observed disabling the system firewall.9
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.91312
enterprise T1070.006 Timestomp Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.3
enterprise T1105 Ingress Tool Transfer Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.1413
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.19561312
enterprise T1534 Internal Spearphishing Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.12
enterprise T1036 Masquerading Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others.12
enterprise T1036.004 Masquerade Task or Service Kimsuky has disguised services to appear as benign software or related to operating system functions.5
enterprise T1036.005 Match Legitimate Name or Location Kimsuky has renamed malware to legitimate names such as ESTCommon.dll or patch.dll.12
enterprise T1112 Modify Registry Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.5141312
enterprise T1111 Multi-Factor Authentication Interception Kimsuky has used a proprietary tool to intercept one time passwords required for two-factor authentication.12
enterprise T1040 Network Sniffing Kimsuky has used the Nirsoft SniffPass network sniffer to obtain passwords sent over non-secure protocols.56
enterprise T1027 Obfuscated Files or Information Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.1115 Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.13
enterprise T1027.002 Software Packing Kimsuky has packed malware with UPX.4
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.613
enterprise T1588.005 Exploits Kimsuky has obtained exploit code for various CVEs.12
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Kimsuky has gathered credentials using Mimikatz and ProcDump.5612
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.1091115341312
enterprise T1566.002 Spearphishing Link Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.1612
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link Kimsuky has used links in e-mail to steal account information.15412
enterprise T1057 Process Discovery Kimsuky can gather a list of all processes running on a victim’s machine.13
enterprise T1055 Process Injection Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.9
enterprise T1055.012 Process Hollowing Kimsuky has used a file injector DLL to spawn a benign process on the victim’s system and inject the malicious payload into it via process hollowing.13
enterprise T1012 Query Registry Kimsuky has obtained specific Registry keys and values on a compromised host.13
enterprise T1219 Remote Access Software Kimsuky has used a modified TeamViewer client as a command and control channel.914
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Kimsuky has used RDP for direct remote point-and-click access.6
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Kimsuky has downloaded additional malware with scheduled tasks.12
enterprise T1593 Search Open Websites/Domains -
enterprise T1593.001 Social Media Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.4
enterprise T1593.002 Search Engines Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.12
enterprise T1594 Search Victim-Owned Websites Kimsuky has searched for information on the target company’s website.12
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding “Dinosaur” references within the code.5
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Kimsuky has checked for the presence of antivirus software with powershell Get-CimInstance -Namespace root/securityCenter2 – classname antivirusproduct.12
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware Kimsuky has used Blogspot to host malicious content such as beacons, file exfiltrators, and implants.13
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Kimsuky has signed files with the name EGIS CO,. Ltd..11
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Kimsuky has used mshta.exe to run malicious scripts on the system.151412
enterprise T1218.010 Regsvr32 Kimsuky has executed malware with regsvr32s.12
enterprise T1218.011 Rundll32 Kimsuky has used rundll32.exe to execute malicious scripts and malware on a victim’s network.13
enterprise T1082 System Information Discovery Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the “systeminfo” command.913
enterprise T1016 System Network Configuration Discovery Kimsuky has used ipconfig/all to gather network configuration information.13
enterprise T1007 System Service Discovery Kimsuky has used an instrumentor script to gather the names of all services running on a victim’s system.13
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Kimsuky has used tools that are capable of obtaining credentials from saved mail.6
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash Kimsuky has used pass the hash for authentication to remote access software used in C2.5
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Kimsuky has lured victims into clicking malicious links.12
enterprise T1204.002 Malicious File Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.111553413
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.6
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Kimsuky has used Blogspot pages for C2.13

Software

ID Name References Techniques
S0622 AppleSeed - Access Token Manipulation Web Protocols:Application Layer Protocol Archive Collected Data Archive via Utility:Archive Collected Data Automated Collection Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Data from Local System Data from Removable Media Local Data Staging:Data Staged Data Transfer Size Limits Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel Exfiltration Over Web Service Fallback Channels File and Directory Discovery File Deletion:Indicator Removal on Host Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Masquerading Native API Software Packing:Obfuscated Files or Information Obfuscated Files or Information Spearphishing Attachment:Phishing Process Discovery Screen Capture Regsvr32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Time Discovery Malicious File:User Execution
S0414 BabyShark - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information File and Directory Discovery File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Process Discovery Query Registry Scheduled Task:Scheduled Task/Job Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0252 Brave Prince - Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol File and Directory Discovery Disable or Modify Tools:Impair Defenses Process Discovery Query Registry System Information Discovery System Network Configuration Discovery
S0527 CSPY Downloader - Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Indicator Removal on Host File Deletion:Indicator Removal on Host Ingress Tool Transfer Masquerade Task or Service:Masquerading Modify Registry Software Packing:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion
S0249 Gold Dragon - Web Protocols:Application Layer Protocol Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Local Data Staging:Data Staged File and Directory Discovery Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal on Host Ingress Tool Transfer Process Discovery Query Registry Security Software Discovery:Software Discovery System Information Discovery System Owner/User Discovery
S0526 KGH_SPY - Web Protocols:Application Layer Protocol Logon Script (Windows):Boot or Logon Initialization Scripts PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Data from Local System Local Data Staging:Data Staged Deobfuscate/Decode Files or Information Local Email Collection:Email Collection Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Software Discovery System Information Discovery Malicious File:User Execution
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0353 NOKKI - Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Local Data Staging:Data Staged Deobfuscate/Decode Files or Information File Deletion:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0111 schtasks - Scheduled Task:Scheduled Task/Job

References


  1. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. 

  2. BRI. (2019, April). Kimsuky unveils APT campaign ‘Smoke Screen’ aimed at Korea and America. Retrieved October 7, 2019. 

  3. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  4. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  5. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  6. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. 

  7. ESTSecurity. (2019, April 17). Analysis of the APT Campaign ‘Smoke Screen’ targeting to Korea and US 출처: https://blog.alyac.co.kr/2243 [이스트시큐리티 알약 블로그]. Retrieved September 29, 2021. 

  8. AhnLab. (2019, February 28). Operation Kabar Cobra - Tenacious cyber-espionage campaign by Kimsuky Group. Retrieved September 29, 2021. 

  9. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  10. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019. 

  11. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020. 

  12. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  13. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  14. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  15. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020. 

  16. Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020. 

Back to top