Kimsuky APT Group Distributes Fake Security App Disguised as KISA Security Program

Kimsuky APT Group Distributes Fake Security App Disguised as KISA Security Program 

The North Korean advanced persistent threat (APT) group Kimsuky has been found to be distributing a fake Korean Internet and Security Agency (KISA) app via malicious emails. In a recent tweet, a mobile malware researcher has shared information about a fake KISA vaccine or security android app disguised as the KISA security program. 

When the target downloads the APK implanted file from the email and installs the application on his device, the malicious code does its job. It executes in the background without the target’s knowledge and collects sensitive information from his device. 

The Kimsuky group is a cyber espionage group with suspected ties to North Korea and well known for its cyber terrorism attacks from 2014. The group, also referred to as Black Banshee, Thallium, and Velvet Chollima, continues to be involved in many spear phishing attacks. In addition to  spear phishing, the group also uses watering hole attacks to extract the desired information from victims. It targets both individuals and organizations around South Korea, Japan, and the United States. Various spearphishing and social engineering methods are employed to obtain the initial access to a user’s networks. In the spear phishing attack, the group sends emails embedded with malicious attachments to the targets. The malicious scripts are executed when the user accesses the attachment.  

The APT group steals web hosting credentials from victims to host their malicious scripts and tools. These stolen credentials are later used to create subdomains mirroring legitimate sites and services such as Google or Yahoo mail. 
 

The Kimsuky PT group customizes its spear phishing campaigns and makes use of individually designed approaches to effectively personalize messages to the target. Some of the common trending topics the group has taken advantage of including COVID-19, the nuclear program, and media interviews depending on the target. At first, the group sends malicious emails to targets with the intention of building their trust. Once trust is established, it sends a follow-up email with the malicious attachment or link. Researchers have identified various approaches used by the group. One of the approaches is as follows: 

• Attackers send gentle interview-themed emails impersonating reporters, luring the target with a scheduled interview date to build rapport.  
• Once the recipient agrees to an interview, the APT group sends a malicious document in an email, either as a Google Drive link within the mail body or as an attachment. 

Other methods used by the Kimsuky APT group are as follows: 

• Security-themed phishing emails 
• Watering hole attacks 
• Malware distributed through torrent sharing sites. 
• Browser extensions 

Once the threat actor gets access to the victim’s device/network, it collects the following information: 

• Device information and user’s sensitive details from the device such as location tracking and login credentials and corresponding passwords. 
• Remote Access Connections 
• Keyloggers 

The sensitive data collected by the threat actor can be misused to perform the following actions: 

• Downloading/Uploading files from the device 

• Launching DDOS attacks 
• Running/Terminating the process 

On scanning the downloaded file through VirusTotal, it turned out to be “A Variant of Android/Spy.Agent.BQS” detected by some reliable antivirus signatures, as shown in Figure 1. 

Figure 1 VirusTotal Detections of the App 

Technical Analysis: 

 
The malware application used for our analysis: fe1a734019f0dc714bd3360e2369853ea97c02f108afe963769318934470967b 
 

Package Name: com.kisa.mobile_security 

Main Activity: com.kisa.mobile_security.activity.LaunchActivity 

On performing the static analysis of the app we found that the malware is similar to the Cerberus Banking Trojan malware, which also steals victim data to access their bank accounts. The permissions used by this malware are listed in Figure 2. 
 

Figure 2 Permission requested by the app 

We also performed the dynamic analysis and discovered that the app requests users to enable the required permissions and services through the pop-up message to get full access to the app. Once the user enables the permissions, the application keeps loading and displays the main screen, as shown in Figures 3 and 4. 

Figure 3 Permission Pop-up to read files, call history, and messages from Victim’s device 

Figure 4 Apps main screen post enabling the permissions 

Some of the applications’ permissions, services, and receivers that may perform malicious activities are listed below: 

Permissions 

• android.permission.SEND_SMS 

• android.permission.READ_PHONE_STATE 
• android.permission.RECEIVE_SMS 
• android.permission.INTERNET 
• android.permission.WRITE_EXTERNAL_STORAGE 
• android.permission.READ_SMS 

• android.permission.PACKAGE_USAGE_STATS 

Services: 

• com.kisa.mobile_security.service.MainService 

Receivers: 

• com.kisa.mobile_security.broadcastreceiver.BootCompletedBroadcastReceiver 

• com.kisa.mobile_security.broadcastreceiver.MyPackageReplacedBroadcastReceiver 
• com.kisa.mobile_security.broadcastreceiver.SmsReceivedBroadcastReceiver 
• com.kisa.mobile_security.broadcastreceiver.InstallBroadcastReceiver 

Intent Filters by Action: 

• android.intent.action.MAIN 

• android.intent.action.MY_PACKAGE_REPLACED 
• android.intent.action.BOOT_COMPLETED 
• android.intent.action.PACKAGE_INSTALL 
• android.provider.Telephony.SMS_RECEIVED 

The app uses the permissions granted by the users, to perform activities on the users’ devices as discussed below: 

1. Tracking the user’s location from the compromised device. 

Figure 5 Tracks the last known location 

2. Adding an overlay to other apps using Windows Manager using a code snippet shown below. 

Figure 6 Adds Overlay to the other apps 

3. Sending messages through SMS Manager by creating a temporary file directory path. 

Figure 7 Sends SMS through SMS Manager 

4. Reading the Operating systems files from the victim machine and executing the code in listing/deleting files from the device. 

Figure 8 List and deletes the files from the device 

5. Tracking the Service/Receiver that are registered post device reboot. 

Figure 9 Registers the service/receiver on phone reboot 

6.  Detecting and storing the operating system language and device details. 

Figure 10 Collects device ID and details from Victims Device 

7. Collecting and updating the sensitive information to the C2 server. 

Figure 11 Collects the data and store it in string 

Figure 12 Stores sensitive information in the background without the user’s knowledge by encrypting the strings 

8. Reading and storing the SMS data from the Victim’s device and later uploading it to the C2 link. 

Figure 13 Collects SMS data from user’s device 

We observed that the application has multiple encrypted strings. These have been encrypted using the XOR mechanism following the UTF-8 method, as shown in Figure 14. 

Figure 14 Encryption Technique 

Our research also indicated that the above encryption technique was implemented in a number of classes and methods. 

Figure 15 Encrypted strings using encryption technique 

On decrypting the encrypted strings, we were able to find the C2 link through which the application communicates and uploads the collected data to the server. 

Below are the identified links through which the application communicates: 

• hxxp://app.at-me.ml/index.php?m=d&p1=56d92eaa24f68947 
• hxxp://app.at-me.ml/index.php?m=b&p1=56d92eaa24f68947&p2=a 

CC: http[:]//app.at-me[.]ml/ 

Safety Recommendations: 

1. Verify the privileges and permissions requested by apps before granting access. 

2. It is always wise to install mobiles applications only from trusted application stores. 

3. Keep your antivirus software updated to detect and prevent malware infections. 

4. Keep your system and applications updated. 

5. Use strong passwords and enable two-factor authentication during logins. 

6. People concerned about the exposure of their stolen credentials in the darkweb can register at AmIBreached.com to ascertain their exposure. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic	Technique ID	Technique Name
Defense Evasion	T1406	1. Obfuscated Files or Information
Credential access	T1412	1. Capture SMS Message
Discovery	T1430 T1426	1.  Location Tracking 2. System Information Discovery
Collection	T1430 T1412	1. Location Tracking 2. Capture SMSes
Command and Control	T1573 T1071 T1571	1. Encrypted Channel 2. Application Layer Protocol 3. Non-Standard Port
Impact	T1447 T1448	1. Delete Device Data 2. Carrier Billing Fraud

Indicators of Compromise (IoCs): 

IOC	IOC Type
fe1a734019f0dc714bd3360e2369853ea97c02f108afe963769318934470967b	SHA256
hxxp://app.at-me.ml/index.php	Interesting URL
hxxp://app.at-me.ml/index.php?m=c&p1=3666e8b2182d8249	Interesting URL
104.128.239[.]70	IP address (communicating IP)
/data/app/com.kisa.mobile_security-Z9mIUcgYoUAN6N3Hbf2nnQ==/base.apk	File path dropped.

About Cyble: 
 
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.