2022-08-30

Infectious Spearphishing Emails Linked with Kimsuky's GoldDragon Cluster

Level: 
Tactical
  |  Source: 
Kaspersky
Government
Politicians
Share:

Infectious Spearphishing Emails Linked with Kimsuky's GoldDragon Cluster

Industry: Government - Politicians | Level: Tactical | Source: Kaspersky

Researchers from Kaspersky have identified new cybercrime activity associated with the North Korean threat actor group, Kimsuky. A cluster of the group known as GoldDragon is specifically being tracked. Spearphishing emails distributed by the group, utilize themes associated with geopolitical issues within Korea. The email contains a weaponized Word document with a malicious macro. Once executed a VBS script is downloaded onto the victim's workstation to collect host information and download additional scripts/malware to complete the information stealing campaign. GoldDragon appears to be only interested in specific targets as an email address check validates if the infection chain should proceed with benign payloads being supplied to unexpected email addresses. The C2 infrastructure used by the group is complex containing multiple hops "The Kimsuky group configured multi-stage command and control servers with various commercial hosting services located around the world."

Anvilogic Scenario:

  • Kimsuky's GoldDragon - Infection Chain with Malicious Doc

Anvilogic Use Cases:

  • Suspicious Executable by CMD.exe
  • MSHTA.exe execution
  • Rare Remote Thread

Get trending threats published weekly by the Anvilogic team.

Sign Up Now