### To catch a Banshee:
#### How Kimsuky’s tradecraft betrays its complementary campaigns and mission

###### Sveva Vittoria Scenarelli September 2020


-----

### Presenter + team

###### Senior Threat Intelligence Analyst... @PwC UK


###### … but really, it takes a team.

 John Southworth
 @BitsOfBinary

 Jason Smart
 @pewpew_lazors


###### Sveva Vittoria Scenarelli


###### @cyberoverdrive



###### ● Focus on APAC-based APTs

 ● “Malware intertextuality” & codebase evolution analysis

 ● CONFidence Online 2020, CyberThreat 2019


-----

GoldDragon RAT.

**BabyShark begins**

**12** **2018** **02** **11**

sanctions

**Malicious HWP Spear**
**phishing continues:**
**G ldD** **/ GHOST419**


Disclosure of an espionage
campaign targeting the
South Korean government
with a new RAT, MyDogs

**More WildCommand**
WildCommand RAT
[resurfaces, is used to](https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html)
target financial entities
in South-East Asia

**03** **05** **09** **2020**

**Autumn Aperture**
The BabyShark
campaign continues
targeting US entities in
the defence and
national security space

**Operation Kabar Cobra / Kitty**
**Phishing / WildCommand**
Since at least December 2018,


**AppleSeed campaign**
Since at least February 2019,
Kimsuky introduces a RAT used to
target Japanese defence contractors.
The website of Washington University
is compromised and used for C2.


-----

### This presentation has many questions

###### How do Black Banshee’s tools, infrastructure, targeting and strategic objectives intersect?

 How do they connect Black Banshee’s campaigns in a tight-knight web of activity?

 What function do Black Banshee’s campaigns perform, among other North Korea-based cyber threats?

 To answer them, we need to:

 Understand the malware Map out the infrastructure Cluster the campaigns

 Pinpoint their intersections Identify the strategic targets


-----

## Black Banshee: Malware to C2s


-----

**SHA256: 66AC66A8E2D8560F8287BFB23F0964CCB930585A96C0029292C4963FF896011A**

###### VBScript-based, sequential malware: persistent downloader / loader, executing further scripts/payloads

 Track through…

 Encoding routine (roughly the same since at least 2018, different key; there is at least one other variant)

 URL paths (incremental parameters; server-side script names)


-----

```
hxxps://jonashartley[.]com
/hilaryolsen/wp-includes/
customize/1111/res.php?op=

```
**2019-11-24** **2019-11-26**
```
        hxxp://jonashartley[.]
        com/hilaryolsen/wp        includes/customize/1111
        /res.php?op=12.0

```
```
hxxp://jonashartley[.]com
/archive/css/0924/
zjirz0.hta

```
```
customize/1111/Brzol0.hta
hxxps://jonashartley[.]com
/hilaryolsen/wp-includes/
customize/1111/res.php?op=
14.0

```
```
hxxp://jonashartley[.]com
/hilaryolsen/wpincludes/images/crystal/
1122/dbrcn0 hta

```
```
hxxps://jonashartley[.]
com/hilaryolsen/wpincludes/random compat/

```

-----

###### BabyShark URL structure:

 Known server-side scripts:
```
 - expres.php?op=

 - cow.php

 Recent server-side scripts and payloads:
 - cross.php?op=
 - res.php?op=
 - .php?er=
 - pre.hta
 - suf.hta

```

-----

**SHA256: 9e004a659e8cb6236ac56671e4afa4b8fbb6f394807aa3decf6e268e17359ec6**

###### Backdoor that uses temporary JavaScript files (executed via WScript) to connect with the C2

 ● In use since at least October 2019
 ● Mutex: I’M POSSIBLE or <*IMPOSSIBLE*>
 ● Masquerading as AVs
```
    ○ ESTsoft\Common
    ○ %APPDATA%\software\microsoft\windows\
      Autopatch\autopatch.dll
    ○ %PROGRAMDATA%\software\microsoft\
      windows\defender\autoupdate.dll

 ● Tiny Banshee self-delete batch script

```

-----

###### Track through…

 Unique encoding routine:

 ● Hex strings, each with unique 16-byte key
 ● Each char XOR’ed with corresponding key byte + XOR’ed with previous char

 AppleSeed URL structure:

 hxxp://suzuki[.]datastore[.]pe[.]hu/m=[letter, a-e] &p1=[victim ID]]&p2=[resource]&p3=[victim info]

 e.g.

 hxxp://suzuki[.]datastore[.]pe[.]hu/?m=a&p1= 1253dc67f01a&p2=win_6.1.7601-x64_DROPPER


-----

**SHA256: d36ac36d278c264362ec31e116a46daaa4a7287a9dcd689d665a5ab1fd5416b8**

###### PowerShell victim profiling tool: Initial persistent implant; identify victim and/or drop further payloads

 Server-side folders names change every time; but sometimes there is correspondence: e.g. “mybobo” payload and “mybobo” C2 domain; “flower”, as per below, was where the name came from)

 Track through…

 Unobfuscated functions and execution logs (e.g. “Success”; “UpLoad Fail!!!”)

|Function name|Functionality|
|---|---|
|main|Sets persistence through a Run Key, creates a log file, and executes all other functions in the script in this order: Get_Info, FileUploading, and Download.|
|Get_info|Gathers basic system information and performs basic file listing.|
|FileUploading|Calls UpLoadFunc and echoes whether UpLoadFunc worked successfully.|
|UpLoadFunc|Encodes all data in the log file and sends it to the C2 via HTTP POST.|


-----

entity:url url:“/flower01/” entity:url url:“/eodo/”


entity:url url:“/flower01/”


-----

### WebForm Boundaries

###### WebForm boundaries are a KEY component in tracking Black Banshee malware as well as C2 Infrastructure.

 Notable examples:

 ----WebKitFormBoundarywhpFxMBe19cSjFnG

 ●In both GoldDragon and FlowerPower

 ----4cef22e90f

 ●Across samples of WildCommand


-----

-----

## Black Banshee: C2s to more C2s


-----

### One pivot to find them

###### Black Banshee C2 infrastructure tends to have many overlaps

 Let’s take a single IP: 45.13.135[.]103

 ● Different domains over months
 ● Goldmine of email phishing (Gmail, Naver, Daum…)
 ● Crossover with AppleSeed C2s
 ● MIND THE HYPHEN

 More specific targeting examples:
```
snu[.]ac-kr[.]esy[.]es
toyota[.]datastore[.]pe[.]hu
suzuki[ ]datastore[ ]pe[ ]hu

```

-----

|Generic Themes|Specific Themes|Banshee-registered domains|(Shared) parent domains|
|---|---|---|---|
|Account|AhnLab|org-help[.]com|pe[.]hu|
|Login|Alyac|ma1l-help[.]com|hol[.]es|
|Mail|Daum|manager-alert[.]com|esy[.]es|
|Manage|Kakao|org-view[.]work|*[.]work|
|Member|Naver|doc-view[.]work|atwebpages[.]com|
|Secure|NTT Docomo|account-protect[.]work|mygamesonline[.]org|
|User|OHCHR|com-sslnet[.]work|myartsonline[.]com|


###### Recent examples:
```
user[ ]mai1-help[ ]com ohchr[ ]org-view[ ]work ramble[ ]myartsonline[ ]com

```

-----

## Black Banshee:
 campaigns


-----

|Col1|Kitty Phishing|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
||Kabar Cobra||||||||||||||||||||||
||||Operatio|n WildCo|mmand|||||||||||Wild Command|||Wil|dComma|nd||
||||||||||G||||||||||||||
||||Gold Dragon||Gold Dragon||||||||||||||||n campai||
|||||||||||||A||ppleSeed||campaig|n||||||
|||||||||||old Drago|n||||||||G|oldDrago|||
|||||||||||||Flower Power|||||||Flowe|rPower a|ctivity||
||||||||||||||||||||||||
||BabyS|hark cam|paign|||||||||B||abyShark||campaig|n|||Baby cam|Shark paign||
||||||||||||||||||||||||
||||Sm|oke Scre campaign|en||||||||||||||||||
||||||Autu|mn Apert|ure camp|aign|||||||||||||||
||||||||||||||||||||||||
|Winter Interests|||||||||||||||||||||||
|||(A|NSSI) Cr|edentials|Gatherin|g campai|gn|||||OHCH||R and ac||ademia p|hishing||||||
|||||||||||||||Focus on||Japanes|e, South||Korean I|nternet pr|oviders||


-----

Supranational targeting


Credential theft campaigns

Espionage campaigns


-----

###### Black Banshee Black Shoggoth


**Japan** **SEA; Russia**

###### From our visibility & South Korea;

**US**

###### collection, Black Banshee has focused mostly on: Defence; Crypto Aerospace & Defence

 - South Korea - Japan (defence) Financially-motivated - US policy cyber crime - Supranational bodies Nuclear research

**India; UK**

###### Strategic targets (sanctions; THAAD deployment issues)


###### Progressive evolution from Banshee’s 2019 targeting, in 2020 Black Artemis has “picked up” some traditional Black Banshee targets (e.g. energy, nuclear).

 Black Shoggoth & Banshee continue overlapping in targeting of journalists, NGOs, plus East & SE Asia.


-----

# Thank you

[pwc.co.uk/cybersecurity](http://www.pwc.co.uk/cybersecurity)

pwc.co.uk/cybersecurity


This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.


-----

‘Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 1’, PwC UK, https://www.pwc.co.uk/issues/cyber**security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html (18th February**
2020)

‘Tracking ‘Kimsuky’, the North Korea-based cyber espionage group: Part 2’, PwC UK, https://www.pwc.co.uk/issues/cyber**security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html (9th March 2020)**


-----

‘The Kimsuky Operation: A North Korean APT?’, Kaspersky, https://securelist.com/the-kimsuky-operation-a-north**korean-apt/57915/ (11th September 2013)**

‘Commissioner of the National Police Agency “Blue House Impersonation E-mail, North Korean Hacker Action’, Hani,
**[http://www.hani.co.kr/arti/PRINT/730395.html (15th February 2016)](http://www.hani.co.kr/arti/PRINT/730395.html)**

‘Malicious Document Targets PyeongChang Olympics’, McAfee, https://securingtomorrow.mcafee.com/mcafee**labs/malicious-document-targets-pyeongchang-olympics/ (6th January 2018)**

‘Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems’, McAfee,
**https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-**
**permanent-presence-on-victims-systems/ (2nd February 2018)**

‘오퍼레이션김수키(Kimsuky)의은밀한활동, 한국맞춤형 APT 공격은현재진행형’, EST Security,
**[https://blog.alyac.co.kr/1536 (12th February 2018)](https://blog.alyac.co.kr/1536)**

‘Kimsuky hacking group’s targeted APT attack in Korea… Even now’, DailySecu,
**[https://www.dailysecu.com/news/articleView.html?idxno=30007 (13th February 2018)](https://www.dailysecu.com/news/articleView.html?idxno=30007)**


-----

‘김수키(Kimsuky) 조직, 스텔스파워(Operation Stealth Power) 침묵작전’, EST Security, **[https://blog.alyac.co.kr/2234 (4th](https://blog.alyac.co.kr/2234)**
March 2019)

‘한ㆍ미겨냥 APT 캠페인 ['스모크스크린' Kimsuky 실체공개’, EST Security, https://blog.alyac.co.kr/2243 (17th March 2019)](https://blog.alyac.co.kr/2243)

‘Analysis of the APT Campaign Smoke Screen targeting to Korea’, EST Security,
**[http://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf (30th April 2019)](http://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf)**

‘BabyShark Malware Part Two: Attacks Continue Using KimJongRat and PCRat’, Palo Alto Networks,
**[https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/](https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/)**
(26th April 2019)

‘The All-Purpose Sword: North Korea’s Cyber Operations and Strategies’, J.Y. Kong, J.I. Lim, and K.G. Kim, 2019 11th
International Conference on Cyber Conflict: Silent Battle, eds. T. Minárik, et al.,
**[https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf (2019)](https://ccdcoe.org/uploads/2019/06/Art_08_The-All-Purpose-Sword.pdf)**

[‘Operation Kabar Cobra’, AhnLab, https://global.ahnlab.com/global/upload/download/techreport/](https://global.ahnlab.com/global/upload/download/techreport/)

**[Analysis_Report]Operation%20Kabar%20Cobra%20(1).pdf (7th January 2019)**

The Double Life of Sector A05 Nesting in Agora (Operation Kitty Phishing)’, ThreatRecon,
**https://threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/ (30th January 2019)**


-----

‘Suspected North Korean Cyber Espionage Campaign Targets Multiple Foreign Ministries and Think Tanks’, Anomali,
**https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-**
**ministries-and-think-tanks (22nd August 2019)**

‘Credentials Gathering Campaign: Large clusters of malicious infrastructure targeting government bodies and other strategic
entities’, Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI),
**[https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-002-EN.pdf (2nd September 2019)](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-002-EN.pdf)**

[‘Autumn Aperture Report’, Prevailion, https://blog.prevailion.com/2019/09/autumn-aperture-report.html (11th September](https://blog.prevailion.com/2019/09/autumn-aperture-report.html)
2019)

‘Kimsuky Group: Track the King of the Spear-Phishing”, Financial Security Institute: Jaeki Kim, Kyoung-Ju Kwak, Min-Chang
[Jang, https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf (4th October 2019)](https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf)

‘Security Issue: Analysis Report on Operation Red Salt’, in ‘ASEC Report Vol. 96 Q3 2019’, AhnLab,
**[https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf (2019)](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf)**

‘[스페셜리포트] 미국 MS가고소한탈륨그룹, 대한민국상대로 '페이크스트라이커' APT 캠페인위협고조’, EST Security,
**[https://blog.alyac.co.kr/3120 (25th July 2020)](https://blog.alyac.co.kr/3120)**


-----