May 28, 2023

North Korean APT group Kimsuky is adopting new TTP, by splitting it into two smaller subgroups: CloudDragon and KimDragon. It often employs social engineering, spear-phishing, and watering hole attacks to collect information from targets primarily located in South Korea, Japan, and the US. Both attack government agencies and educational targets such as universities and research centers.

CloudDragon relies on malware including TroiBomb, RoastMe, JamBog (AppleSeed), BabyShark, and DongMulRAT (WildCommand). KimDragon uses malware variants: Lovexxx (GoldDragon variant), JinhoSpy (NavRAT variant), BoboStealer (FlowerPower), and MireScript.

CloudDragon had a broader geographical footprint, branching out to attack Japan and several European Union countries, while KimDragon had only expanded to India. CloudDragon also had a broader scope of industry targets, which included financial institutions, energy companies, high-tech businesses, and aerospace and defense industries.

CloudDragon launched a supply chain attack against a firm in the Korean cryptocurrency industry. Attackers went after a hardware wallet surface, which typically specializes in security but needs software to assist with blockchain on the Internet. Attackers created a malicious version of its management software and deployed it to the official website targetting windows users

CloudDragon also targets mobile devices. The group deployed a malicious app to Google Play; if a victim launches the app and has auto-update enabled, the malware will be downloaded without notice and upload the user’s data to C2C server belonging to the attackers

The researchers also observed CloudDragon adopting new phishing technique in which attackers automatically fill in phishing websites with content from the legitimate website they are trying to mimic. When a victim opens a malicious link, the phishing site simultaneously sends a request to the real website, fetches the content, modifies it so it’s malicious, and shows the result on the phishing site.

Tags:

Leave a Reply

You may have missed

TheCyberThrone Security Week In Review–May 27, 2023

TheCyberThrone Security Week In Review–May 27, 2023

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
Buhti Ransomware Dissection

Buhti Ransomware Dissection

May 26, 2023
%d bloggers like this: