Cybersecurity
A recent data breach attributed to a North Korean cyber actor has provided significant insights into the operations of Kimsuky (APT43). The breach, referred to as the “Kim” dump, involves a 9 GB dataset that includes active bash histories, phishing domains, OCR workflows, custom stagers, and Linux rootkit evidence. It reveals a hybrid campaign leveraging Chinese-language tools and infrastructure to target South Korean and Taiwanese networks.
Technical Analysis of the Dump Materials
Interactive Malware Development
Terminal history files demonstrate the use of NASM for assembling malware, incorporating iterative compile-and-cleanup commands. This method highlights a bespoke loader and injection tool workflow.
OCR-Driven Reconnaissance
OCR commands processed Korean-language PDFs on PKI standards and VPN configurations. Using ocrmypdf -l kor+eng, the actor extracted critical certificate and network configuration data for spoofing and credential forgery.
Privileged Access Management (PAM) Logs
PAM log entries tagged with 변경완료 (“change complete”) suggest systematic rotations of high-privilege accounts, indicating sustained backend access.
Sophisticated Phishing Infrastructure
A network of spoofed domains mimicked Korean government portals, deploying AiTM proxies to capture credentials in real time. Burner emails facilitated stealth credential collection.
Linux Rootkit Implant
The dump contains a stealthy rootkit using syscall hooking and covert channels. Installed in /usr/lib64/tracker-fs/, it conceals files, processes, and network ports while offering SOCKS5 proxy and encrypted control sessions.
Taiwan Reconnaissance
Network logs show targeted access to Taiwanese government and academic IPs, indicating reconnaissance aimed at internal repositories and cloud authentication portals.
Motivation and Goals of the APT Actor
Credential Dominance and PKI Compromise
The campaign focuses on the theft of GPKI certificates and plaintext passwords, enabling identity spoofing across South Korean government systems. This strategy involves credential harvesting, certificate abuse, and insider-level persistence.
Expansion into Taiwan
The actor probed Taiwanese enterprise portals and .git repositories, indicating an expanded regional mandate for espionage and credential theft.
Hybrid DPRK–PRC Footprint
Korean-language artifacts and UTC+9 settings suggest DPRK origin, while the use of Chinese platforms indicates either operation within China or PRC infrastructure support.
Long-Term Persistence
Manual shellcode compilation, rootkit deployment, and AiTM phishing reflect a blend of tactics aimed at concealment and credible lures.
CTI Report Compartment for Analysts
Tactics, Techniques, and Procedures (TTPs)
- NASM-based shellcode development.
- OCR extraction of Korean PKI and VPN documentation.
- AiTM phishing via TLS proxies and burner emails.
- Linux rootkit with syscall hooking and encrypted backdoor.
- Direct reconnaissance of Taiwanese .git repositories.
Recommendations
- Monitor for NASM toolchain artifacts on developer hosts.
- Detect OCR tool usage against sensitive PDF collections.
- Block and sinkhole known phishing domains and AiTM proxies.
- Employ file-integrity monitoring on suspicious rootkit paths.
- Audit PAM and SSH logs for unauthorized “변경완료” entries.
Further analysis of the “Kim” dump is expected to provide additional insights. Analysts and defenders should continue reviewing and neutralizing any remaining assets or infrastructures to mitigate this hybrid APT threat.
