Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2

Clustering activity

Investigating Black Banshee’s 2019 activity, and the infrastructure patterns emerging across different campaigns and connecting them, we identified a number of activity “clusters”. Such clusters of campaigns and operations – identified based on our own datasets as well as excellent open source research from others – are tied together by infrastructure links, similar tradecraft, shared indicators, and matching targeting.

Figure 1 below shows the activity of several campaigns – grouped into such clusters – between November 2018 and February 2020:

• The WildCommand cluster;
• The BabyShark cluster; and,
• A credential harvesting cluster.

_{Figure 1. A high-level overview of campaigns conducted by Black Banshee throughout 2019.}

_{The dotted lines in the picture mark periods in which PwC analysts did not observe large volumes of activity related to a certain campaign, but in which such activity was likely in preparation, or still ongoing.}

The Wild Cluster

The WildCommand cluster includes the activity first publicly detailed in AhnLab’s Operation Kabar Cobra. The continuation of that activity was exposed in ThreatRecon’s Operation Kitty Phishing. We tracked this campaign as it continued throughout April and May 2019.

All this activity targeted the South Korean government sector, as well as aerospace and defence contractors and cryptocurrency organisations doing business in South Korea. Based on our analysis, we assessed that the operations were effectively part of the same overarching campaign, as they exhibited extensive overlaps in infrastructure and correspondence in tools, techniques and procedures (TTPs)  deployed – including a new malware family at the time, a Remote Access Trojan (RAT) that we referred to as WildCommand.

_{Figure 2. An evolution: Operation Kabar Cobra, Kitty Phishing, WildCommand and Missiles and Money are snapshots in time of a longer effort by Black Banshee.}

We found further infrastructure links tying the WildCommand cluster to a campaign targeting cryptocurrency organisations, and active from 2018 until at least May 2019, which EST Security has grouped under the name “Operation MoneyHolic”. 

We also saw multiple infrastructure connections between the WildCommand cluster and yet another set of activity, dated around May 2019, leveraging a DLL RAT family that we refer to as MyDogs. MyDogs – a RAT that uses FTP to receive commands and exfiltrate files – was reported on as being used in a cluster of activity called “Operation Red Salt” by AhnLab, in a campaign mostly targeted towards South Korean entities. Although the set of activity that AhnLab called Operation Red Salt was active around July 2019, we observed the leadup for this campaign building from at least May 2019 – around the time when we also noticed a temporary halt in the activity associated with Operation WildCommand.

Recently, we have observed new WildCommand activity. This return of the WildCommand campaign used similar TTPs to previous activity and a slightly updated version of the backdoor, with samples compiled around 13th February 2020; from what we have been able to observe so far, this activity targeted financial sector entities in South East Asia.

The BabyShark cluster

The second cluster that PwC identified across Black Banshee’s 2019 activity revolves around a campaign, active since at least late 2018, that Palo Alto’s Unit42 called “BabyShark”  and EST Security refers to as “Operation SmokeScreen”. This campaign has consistently targeted policy and national security think tanks as well as government entities in the US, South Korea, and European countries. It has also targeted organisations in the cryptocurrency space. 

We noted infrastructure overlaps and indicator sharing between this and Prevailion’s “Autumn Aperture” report, including similar malware and the same author name – “windosmb” – present across multiple lure documents utilised in both campaigns. Such evidence led us to assess that the Autumn Aperture campaign likely constituted a continuation of the BabyShark campaign.

_{Figure 3. An example of overlaps between PwC reporting on BabyShark activity, Operation SmokeScreen, Prevailion’s Autumn Aperture campaign report, and ANSSI’s advisory on credential phishing activity attributed to Black Banshee.}

_{Figure 4. The continuum of BabyShark activity between November 2018 and December 2019.}

BabyShark activity often relied on compromised infrastructure instead of adversary-registered domains. However, the naming of server-side folders remained consistent across BabyShark campaigns. Folders like “/customize/1111”, server-side files like “cow.php”, “expres.php”,   and malware parameters like “op=” remained characteristic of BabyShark malware through its iterations until the current time. 

PwC analysts have routinely observed such server-side scripts on Black Banshee C2 infrastructure. These same server-side scripts were also observed in the context of a campaign targeting the South Korean government and dubbed “Operation Stealth Power” by EST Security.  Although Operation Stealth Power was not directly linked to BabyShark activity, the use of those same scripts effectively ties together different Black Banshee campaigns based on the same infrastructure management TTPs.

A net cast wide: long-running, large-scale credential capture campaign

Separately, Prevailion noted some shared indicators and infrastructure connecting the “Autumn Aperture” campaign with activity discussed in a report by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), and also covered by Anomali in a late August 2019 report. Multiple infrastructure connections (examples of which are shown in Figure 4 above) and targeting similarities between the BabyShark campaign, Autumn Aperture, and the ANSSI report, lead us to assess these sets of activity are likely part of the same “cluster”. This is an overarching effort to target mainly foreign governments as well as institutions in the national security, policy, and education space – with multiple similarities across the domains that we observed being set up between August and December 2018.