A rare breach attributed to a North Korean–affiliated actor named “Kim” by the leakers has unveiled unprecedented insight into Kimsuky (APT43) operations.
Dubbed the “Kim” dump, the 9 GB dataset includes active bash histories, phishing domains, OCR workflows, custom stagers, and Linux rootkit evidence—revealed a hybrid campaign that leverages Chinese-language tooling and infrastructure to target South Korean and Taiwanese networks.
This leak highlights a credential-focused intrusion model aimed at government PKI systems, advanced AiTM phishing, and deep system persistence.
Part I: Technical Analysis of the Dump Materials
Interactive Malware Development
Terminal history files demonstrate on-the-fly malware assembly using NASM for low-level shellcode, with iterative compile-and-cleanup commands. This hands-on approach underscores a bespoke loader and injection tool workflow.
OCR-Driven Reconnaissance
OCR commands processed Korean-language PDFs on PKI standards and VPN configurations. By running ocrmypdf -l kor+eng against documents like 행정전자서명_기술요건_141125.pdf, the actor extracted certificate and network configuration data for spoofing and credential forgery.
Privileged Access Management (PAM) Logs
PAM log entries tagged with 변경완료 (“change complete”) reveal systematic rotations of high-privilege accounts—oracle, svradmin, app_adm01—pointing to sustained backend access.
Sophisticated Phishing Infrastructure
A network of spoofed domains (nid-security[.]com, webcloud-notice[.]com, koala-app[.]com) mimicked Korean government portals, deploying AiTM proxies to capture credentials in real time. Burner emails (e.g., jeder97271[@]wuzak[.]com) facilitated stealth credential collection.
Linux Rootkit Implant
The dump contains a stealthy rootkit (vmmisc.ko) using syscall hooking and covert channels. Installed in /usr/lib64/tracker-fs/, it conceals files, processes, and network ports while offering SOCKS5 proxy, PTY backdoor shells, and encrypted control sessions via a password-protected client binary.
Taiwan Reconnaissance
Network logs show targeted access to Taiwanese government and academic IPs (.tw domains and direct .git crawls), indicating supply-chain reconnaissance aimed at internal repositories and cloud authentication portals.
More sophisticated spoofing was seen in sites that emulated official government agencies like dcc.mil[.]kr, spo.go[.]kr, and mofa.go[.]kr.
Part II: Motivation and Goals of the APT Actor
Credential Dominance and PKI Compromise
Central to the campaign is the theft of GPKI certificates (e.g., 136백운규001_env.key) and plaintext passwords, enabling identity spoofing across South Korean government systems. OCR-extracted policy language and PAM logs confirm a strategy of credential harvesting, certificate abuse, and insider-level persistence.
Expansion into Taiwan
Beyond Korea, the actor probed Taiwanese enterprise portals (tw.systexcloud[.]com, mlogin.mdfapps[.]com) and .git repositories (caa.org[.]tw), signaling an expanded regional mandate for espionage, supply-chain infiltration, and credential theft.
Hybrid DPRK–PRC Footprint
Localized Korean-language artifacts and UTC+9 system settings point to DPRK origin, while extensive use of Chinese platforms (Gitee, Baidu, Zhihu) and simplified Chinese browsing behavior indicate either physical operation within China or PRC infrastructure support. This fusion amplifies reach and obfuscates attribution.
Long-Term Persistence
Manual shellcode compilation, rootkit deployment, and AiTM phishing reflect a blend of old-school tactics with modern deception. The operator’s cultural camouflage—embedded in Chinese social media artifacts—further conceals their true identity and enables more credible lures.
Part III: CTI Report Compartment for Analysts
Tactics, Techniques, and Procedures (TTPs)
- NASM-based shellcode development and hash-resolved API calls.
- OCR extraction of Korean PKI and VPN documentation.
- AiTM phishing via TLS proxies and burner emails.
- Linux rootkit with syscall hooking and encrypted backdoor.
- Direct reconnaissance of Taiwanese .git repositories.
Recommendations
- Monitor for NASM toolchain artifacts on developer hosts.
- Detect OCR tool usage against sensitive PDF collections.
- Block and sinkhole known phishing domains and AiTM proxies.
- Employ file-integrity monitoring on suspicious rootkit paths.
- Audit PAM and SSH logs for unauthorized “변경완료” entries.
Without doubt, further analysis of the “Kim” dump will unveil additional novel insights. Analysts and defenders should continue reviewing and neutralizing any remaining burned assets or cloned infrastructures to curtail this evolving hybrid APT threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
