Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.
South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.
“A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together,” the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday.
Kimsuky, active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea’s strategic objectives.
The threat actor’s espionage campaigns are realized through spear-phishing attacks containing malicious lure documents that, upon opening, culminate in the deployment of various malware families.
One such prominent Windows-based backdoor used by Kimsuky is AppleSeed (aka JamBog), a DLL malware which has been put to use as early as May 2019 and has been updated with an Android version as well as a new variant written in Golang called AlphaSeed.
AppleSeed is designed to receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. AlphaSeed, like AppleSeed, incorporates similar features but has some crucial differences as well.
“AlphaSeed was developed in Golang and uses chromedp for communications with the [command-and-control] server,” ASEC said, in contrast to AppleSeed, which relies on HTTP or SMTP protocols. Chromedp is a popular Golang library for interacting with the Google Chrome browser in headless mode through the DevTools Protocol.
Also deployed by the adversary are Meterpreter and VNC malware such as TightVNC and TinyNuke(aka Nuclear Bot), which can be leveraged to take control of the affected system.
The development comes as Nisos said it discovered a number of online personas on LinkedIn and GitHub likely used by North Korea’s information technology (IT) workers to fraudulently obtain remote employment from companies in the U.S. and act as a revenue-generating stream for the regime and help fund its economic and security priorities.
“The personas often claimed to be proficient in developing several different types of applications and have experience working with crypto and blockchain transactions,” the threat intelligence firm said in a report released earlier this month.
“Further, all of the personas sought remote-only positions in the technology sector and were singularly focused on obtaining new employment. Many of the accounts are only active for a short period of time before they are disabled.”
North Korean actors, in recent years, have launched a series of multi-pronged assaults, blending novel tactics and supply chain weaknesses to target blockchain and cryptocurrency firms to facilitate the theft of intellectual property and virtual assets.
The prolific and aggressive nature of the attacks points to the different ways the country has resorted in order to evade international sanctions and illegally profit from the schemes.
“People tend to think, … how could the quote-unquote ‘Hermit Kingdom’ possibly be a serious player from a cyber perspective?,” CrowdStrike’s Adam Meyers was quoted as saying to Politico. “But the reality couldn’t be further from the truth.”