Kimsuky group: tracking the king of the spear-phishing

Friday 4 October 14:00 - 14:30, Small talks

Jaeki Kim (Financial Security Institute)
Kyoung-Ju Kwak (Financial Security Institute)
Min-Chang Jang (Financial Security Institute)



The Kimsuky group is a threat group that is known to have been behind the KHNP (Korea Hydro & Nuclear Power) cyber terrorism attacks in 2014 and is still active as of 2019.

Since 2018, we have been profiling and tracking spear-phishing emails and malicious code related to the Kimsuky group (like Sequel of Campaign DOKKAEBI).

The spear-phishing email used in the attack was designed with the purpose of stealing portal account information and attaching malicious code. The main targets of the attack are government and military officials or reporters.

While others might think of this as a simple account hijack, or stop at a single malware analysis, we have analysed the group's changing behaviour through ongoing tracing of the IoCs related to Kimsuky, including simple account hijacking.

In this talk, we present the results of an analysis not only of the malware used by the Kimsuky group but also of server-side samples (tools and templates that send out spear-phishing emails, like a phishing-rod) which we recently investigated.

We have confirmed that the C&C server used for the previous attack continues to be used for various purposes such as distribution of malicious code, logging of infection and sending of phishing mails. This talk will provide a background to the Kimsuky group's recent activity and give an insight for malware researchers.

 

Jaeki-Kim-web.jpg

Jaeki Kim

Jaeki Kim graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree from Korea University's Security Analysis and Evaluation Lab. Before joining the Financial Security Institute, he worked on mobile security for a private security company. He also has experience in working as a digital forensic expert for the National Election Commission. In 2016, he joined the Financial Security Institute, and is currently working in the Computer Emergency Analysis Team. As a member of the 'koreanbadass' team, he made it to the Finals of the DEFCON CTF in 2017 and 2018, and now also works as a mentor for KITRI's BoB program. Jaeki is the main author of the threat intelligence report "Campaign DOKKAEBI: Documents of Korean and Evil Binary", published by FSI in 2018.

@2RunJack2

 

silhouette-vb2019.jpg

Kyoung-Ju Kwak

Kyoung-ju Kwak is a security researcher at Security Operations Center, FSI (Financial Security Institute in South Korea). Kyoung-ju currently works on threat analysis and dissects potential threats against the Korean financial industry. Kyoung-ju is also Adjunct Professor at Sungkyunkwan University and audited the National SCADA system and the Ministry of Land with "the Board of Audit and Inspection of Korea" as an Auditor General in 2016. He currently acts as a member of the National Police Agency Cyber-crime Advisory Committee. Kyoung-ju is the main author of threat intelligence report "Campaign Rifle: Andariel, the Maiden of Anguish", published by FSI in 2017.

 

silhouette-vb2019.jpg

Min-Chang Jang

Min-Chang Jang works on threat analysis in the Computer Emergency Analysis Team of the Financial Security Institute. He is a graduate student pursuing a major in cyber warfare at SANE (Security Analysis aNd Evaluation) Lab, Korea University. He served in the Korean Navy CERT for over two years. He is also interested in malware analysis, collecting embedded devices, and hunting bugs and exploiting them. Min-Chang is the main author of threat intelligence report " ShadowVoice : When Voice Phishing met Malicious Android App", published by FSI in 2018.


   Download slides    Read paper

Back to VB2019 Programme page

Other VB2019 papers

Catch me if you can: detection of injection exploitation by validating query and API integrity

Abhishek Singh (Prismo Systems)
Ramesh Mani (Prismo Systems)

Attor: spy platform with curious GSM fingerprinting

Zuzana Hromcová (ESET)

DNS on fire

Warren Mercer (Cisco Talos)
Paul Rascagneres (Cisco Talos)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.