The North Korean group of actors known as ‘Thallium,’ or otherwise the ‘Kimsuky’ APT, are continuing their active targeting of various South Korean key entities and persons. The KISA (Korean Internet and Security Agency) has published a very detailed report a couple of months back containing all the details on how the attackers move against their targets. Moreover, Malwarebytes - which is also following the particular APT - has now published its own write-up on the topic.
Based on the latest available data, the targets of Thallium are the following:
The attacks start by sending a phishing email to the target, sent from a mimicked infrastructure that appears like a legit and well-known site at a glance. Typically, we see the spoofing of Google and the Gmail service, but there’s also Hotmail, Microsoft Outlook, Telegram, and more. Example URLs include “login[.]gmail-account[.]gq”, “accounts[.]goggle[.]hol[.]es/MyAccount”, and also “ns1.microsoft-office[.]us”, but there are many more.
The goal is to collect the target’s credentials or at least their more critical email addresses. These are then used for a more sophisticated spear-phishing campaign that relies more heavily upon social engineering. Thallium targets both English and Korean-speaking victims, so they have put in the extra work to prepare their phishing pages, make them support both languages, and detect what the visitor is using to adjust automatically.
As for the infrastructure, Thallium is using several parts that have been reused in the recent past, like, for example, the AppleSeed backdoor C2 communications. Right now, the threat group is using two backdoors, one for Windows users and one for Android devices, and they are both sharing the same infrastructure.
And finally, in terms of the capabilities of this malware, there is a keylogger that captures key presses and stores them in a log.txt file, there’s a screenshot capture tool that uses API calls for the purpose, and there’s also a module that can identify the inserting of a USB drive and collect its data to send it to the C2 server at a later stage. Of course, file exfiltration from local hard disks is also included, with the relevant thread looking for txt, ppt, hwp, pdf, and doc files in the Desktop, Documents, and Downloads.