Thursday, May 15, 2025

The "Kimsuky" umbrella of malicious activity

TA406 is one of three groups (the other two being TA408 and TA427) that Proofpoint tracks as being part of what other vendors have been tracking as the "Kimsuky" umbrella of malicious activity for the past several years. Other names for the group include "Thallium" and the "Konni Group."
APT Profile: Kimsuky - SOCRadar® Cyber Intelligence Inc.
A PIVOT OF SORTS: The attacks in Ukraine represent a pivot of sorts for TA406, which historically has targeted government and diplomatic entities in Russia, the United States, South Korea, and Russia in previous strategic intelligence gathering operations
  • But otherwise, the group's tactics, techniques, and procedures in the Ukraine attacks align closely with those observed in its more recent campaigns and involve both malware distribution and credential harvesting from target networks.
"TA406's campaigns are likely to supplement strategic intelligence gathering for North Korean regime stakeholders," says Greg Lesnewich, senior threat researcher at Proofpoint. Lesnewich says TA460 appears to be 
  1. targeting political information to gauge Ukraine's resolve in the conflict and 
  2. to help North Korean stakeholders assess whether additional troop support may be requested by Moscow.

Related:Hacktiv

North Korea's TA406 Targets Ukraine for Intel

The threat group's goal is to help Pyongyang assess risk to its troops deployed in Ukraine and to figure out if Moscow might want more.

North Korea's TA406 Targets Ukraine for Intel
Jai Vijayan, Contributing Writer
May 13, 2025

Lesnewich adds that Proofpoint is not aware of any other North Korean intrusion clusters currently targeting the same entities or conducting similar operations.

North Korea-backed threat group TA406 is targeting government agencies in Ukraine in an apparent effort to collect intelligence on the country's continued desire and ability to fight back against Russia's invasion.

The campaign appears to be aimed at helping Pyongyang assess the risk to North Korean personnel already deployed in Ukraine alongside Russian forces, and to gauge the likelihood of future requests from Moscow for additional military support, according to a new report from Proofpoint.

> In the attacks that Proofpoint observed in Ukraine, TA406 actors sent phishing emails to targeted individuals from a fictitious senior fellow belonging to a fake think tank called the "Royal Institute of Strategic Studies." The phishing email often contained a link that downloaded a password-protected archive file hosted on the MEGA file hosting service called AnalyticalReport.rar.

  • If the target opened the RAR file, it unpacked a Compiled HTML Help (CHM) file with HTML files inside that showed fake content about Ukrainian military leader Valeriy Zaluzhnyi. 
  • If the intended victim clicked on the page, it ran a PowerShell script that connected to a malicious website to download and run additional malicious code. 
  • When targets didn't bite right away, TA406 followed up with pushy emails asking if they'd seen the message and urging them to download the file.

Later Stage PowerShell Scripts

The next-stage PowerShell scripts that Proofpoint observed TA406 using in the Ukraine campaign dug up details about the victim's computer by running commands like "ipconfig /all" to grab network info, and "systeminfo" to collect system details. The script also used other commands to find recent files and disk info, and to check for antivirus software using Windows Management Instrumentation (WMI). The malicious code then bundled all the data it harvested from an affected system, encoded them in Base64 and sent the data to an attacker-controlled website. The PowerShell script then created a new file called "state.bat" in the computer's APPDATA folder and rigged it to autorun every time a compromised system started up, thereby ensuring persistence on it.

Related:Chinese Actor Hit Taiwanese Drone Makers, Supply Chains

In some cases, Proofpoint observed TA406 including an HTML file directly in the initial phishing email. The file contained a link that, if clicked, triggered the download of a zip archive from a TA406-controlled site. The archive file contained a benign PDF, and also a malicious shortcut file (LNK) named "Why Zelenskyy fired Zaluzhnyi.lnk." When opened, the LNK file ran a hidden PowerShell script that set up a scheduled task to launch a JavaScript file. The script contacted an attacker-controlled site for more instructions, which it would run using PowerShell. Proofpoint couldn't see what happened next because the final payload was unavailable during their analysis, the security vendor said. 

TA406 Cyber Campaign: North Korea's Focus on Ukraine Intelligence

As part of the same campaign, TA406 also set out fake Microsoft security alerts using Proton Mail email accounts to Ukrainian government targets. The emails warned recipients about unusual login attempts to their accounts from different IP addresses and urged them to verify the activity by clicking on a link. Users who followed the instructions ended up landing on a credential-harvesting site.

"North Korea committed troops to assist Russia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theater," Lesnewich and fellow Proofpoint researchers Saher Naumaan and Mark Kelly wrote in the report. 
"Unlike Russian groups who have likely been tasked with targeting Ukrainian forces in situ, TA406 has typically focused on more strategic, political intelligence collection efforts."
 
TA406 is one of three groups (the other two being TA408 and TA427) that Proofpoint tracks as being part of what other vendors have been tracking as the "Kimsuky" umbrella of malicious activity for the past several years. Other names for the group include "Thallium" and the "Konni Group."

Proofpoint has not observed TA408 or TA427 directly target Ukrainian entities, Lesnewich says. "Proofpoint has observed TA427 take interest in information about Ukraine since before Russia commenced its invasion, but it has always targeted Western entities to gather such information," he adds.

TA406 has been active since at least 2012 and is known for using both malware and credential harvesting tactics to break into target networks and gather information of interest to its North Korean handlers. In addition to using living-off-the-land tactics, TA406 is also associated with several different malware tools, including Konni, Sanny, BabyShark, and Amadey. Most recently, researchers at Securonix spotted members of the umbrella group using fake work logs, crypto-files, and insurance documents to trick users in South Korea to download a malicious shortcut file that harvested system information and executed PowerShell scripts.


No comments:

American Enterprise Institute and the Institute for the Study of War (ISW) > SPECIAL EDITION June 12, 2025 for Israeli Strikes on Iran

This update is the first of at least three CTP-ISW Iran Updates over the next 24 hours that will cover the Iran-Israel war. The recent Isr...