Kimsuky Targets Organizations with Evolving PebbleDash-Based Tools

Kimsuky, also known as APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail, is a prolific Korean-speaking threat actor that has been active since at least 2013. Kaspersky researchers have observed tactical shifts in the group’s recent campaigns, including the use of new malware variants based on the PebbleDash platform and connections to the AppleSeed malware cluster. Kimsuky has been leveraging legitimate tools, such as VSCode Tunneling and Cloudflare Quick Tunnels, as well as the open-source DWAgent remote monitoring and management tool. These activities primarily target South Korean entities in both the public and private sectors, with PebbleDash attacks also observed in Brazil and Germany. The group uses spear-phishing emails and messenger contacts to deliver malicious attachments.

Attack Chain

1. Kimsuky initiates the attack by sending spear-phishing emails or contacting targets via messengers.
2. The initial contact leads to the delivery of a malicious attachment disguised as a document, such as a compressed file.
3. The attachments contain droppers in formats like .JSE, .EXE, .PIF, or .SCR, with filenames designed to entice the recipient to open them.
4. JSE droppers decode Base64-encoded blobs, including a benign lure file and malicious code, storing them in locations like C:\ProgramData with random filenames.
5. The benign lure file is opened to deceive the user, while the malicious payload uses powershell.exe -windowstyle hidden certutil -decode [src path] [dst path] for further decoding.
6. The final payload is executed via command-line instructions, such as regsvr32.exe /s [file path] or rundll32.exe [file path] [export function].
7. Reger Dropper (.SCR) and Pidoc Dropper (.PIF) decrypt their payloads using XOR operations before deploying files in directories like %temp% or C:\ProgramData.
8. Post-exploitation, Kimsuky uses legitimate tools like Visual Studio Code (VSCode) and DWAgent for remote access and control, ultimately aiming to establish backdoors and steal information from the compromised systems.

Impact

Kimsuky primarily targets South Korean entities, including both public and private sectors. The PebbleDash cluster has also been observed targeting the medical, military, and defense industries worldwide, with compromises of Brazilian and South Korean defense organizations, as well as a German defense firm. A successful attack leads to the establishment of backdoors, data theft, and potential disruption of critical services. In 2024, the South Korean government released a security advisory regarding the AppleSeed cluster, demonstrating the significant impact of these attacks.

Recommendation

• Monitor process creation events for the execution of regsvr32.exe or rundll32.exe from unusual locations like %temp% or C:\ProgramData (see Attack Chain step 6) to detect potential malware execution. Deploy the Sigma rule “Detect Suspicious Regsvr32/Rundll32 Execution from Unusual Locations” to your SIEM and tune for your environment.
• Implement detections for JSE droppers decoding and executing payloads via powershell.exe and certutil.exe. Deploy the Sigma rule “Detect JSE Dropper with Certutil and Powershell” to your SIEM and tune for your environment.
• Monitor for the execution of legitimate tools such as VSCode or DWAgent from unexpected locations or with unusual command-line arguments, indicating potential post-exploitation activity (see Attack Chain step 8).
• Scan your environment for the MD5 hashes listed in the IOC table to identify potentially compromised systems.
• Educate users about the risks of opening attachments from untrusted sources and verify the legitimacy of files before opening them, especially those disguised as documents or application installers (see Attack Chain step 2).