Friend
Professional
- Messages
- 2,653
- Reaction score
- 845
- Points
- 113
Details of cloud-based stealth attacks.
Analysis of the threats associated with the Konni campaign shows the increasing activity of the Kimsuky group, which uses various methods for stealthy attacks. The danger lies in the use of legitimate cloud services and FTP to stage the targeted systems, making it difficult to detect malicious files. The campaign is hitting not only systems in South Korea, but also Russian government institutions as well as other international targets.
Using techniques such as spear-phishing and malicious documents (e.g., files with the extension '.exe', '.scr', '.ppam'), attackers disguise their attacks as legitimate requests or documents. In one such attack, identified in 2022, the attackers used fake documents related to Russia's foreign policy activities, as well as tax and financial transaction documents, confirming the broader goals of the campaign.
Attackers use free domains and hosting services to execute remote control commands, making it easier to create and hide command and control (C2) servers. An important element of the attacks is the modification and injection of malware through the creation of software bookmarks (RATs) using PowerShell and VBS, which then execute encrypted commands on the compromised devices.
Numerous files discovered during the analysis demonstrate the group's ability to adapt to conditions and use sophisticated methods to bypass traditional security systems, including file-based and fileless attacks. Modern endpoint detection and response (EDR) systems enable faster detection of threats and early prevention, reducing the risk of large-scale data breaches.
In recent years, campaigns associated with Kimsuky have included not only targeted attacks on government agencies, but also attacks on representatives of cryptocurrency transactions, which points to the group's financial motives.
Source
Analysis of the threats associated with the Konni campaign shows the increasing activity of the Kimsuky group, which uses various methods for stealthy attacks. The danger lies in the use of legitimate cloud services and FTP to stage the targeted systems, making it difficult to detect malicious files. The campaign is hitting not only systems in South Korea, but also Russian government institutions as well as other international targets.
Using techniques such as spear-phishing and malicious documents (e.g., files with the extension '.exe', '.scr', '.ppam'), attackers disguise their attacks as legitimate requests or documents. In one such attack, identified in 2022, the attackers used fake documents related to Russia's foreign policy activities, as well as tax and financial transaction documents, confirming the broader goals of the campaign.
Attackers use free domains and hosting services to execute remote control commands, making it easier to create and hide command and control (C2) servers. An important element of the attacks is the modification and injection of malware through the creation of software bookmarks (RATs) using PowerShell and VBS, which then execute encrypted commands on the compromised devices.
Numerous files discovered during the analysis demonstrate the group's ability to adapt to conditions and use sophisticated methods to bypass traditional security systems, including file-based and fileless attacks. Modern endpoint detection and response (EDR) systems enable faster detection of threats and early prevention, reducing the risk of large-scale data breaches.
In recent years, campaigns associated with Kimsuky have included not only targeted attacks on government agencies, but also attacks on representatives of cryptocurrency transactions, which points to the group's financial motives.
Source
