Operation Newton: Hi Kimsuky? Did an Apple(seed) really fall on Newton’s head?

Jaeki Kim (S2W), Sojun Ryu (S2W) & Kyoung-ju Kwak (S2W)

In the process of tracking the attacks of the Kimsuky group, which are still attacking after the KHNP cyber terror attack, we discovered a malicious code called "AppleSeed" in the wild and released details of it at VB2019. (https://www.virusbulletin.com/conference/vb2019/abstracts/kimsuky-group-tracking-king-spear-phishing))

Since then, AppleSeed malware and the simple pivoting of servers have relentlessly pushed other victims, with those cases reported in technical articles written by security companies and via SNS messages by security practitioners. However, although AppleSeed is still actively working in the real world, the full-chain attack leveraging AppleSeed has not been clearly disclosed so far.

Thus, to shed some light on this sophisticated attack scenario, we conducted an in-depth analysis of the full-chain attack of AppleSeed; from the initial penetration to the final damage targeting scientific/engineering researchers among various attack cases, and named it “Operation Newton”.

In our analysis, we identified the initial penetration method, tools used in the attack including AppleSeed, and infrastructure such as C&C servers. In addition, we discovered and analysed artifacts related to attacks targeting multiple platforms (Linux environments other than Windows).

Also, using first-hand artifacts and IoCs obtained in the process of analysing and investigating actual accidents related to AppleSeed, rather than data obtained from the OSINT channel, a correlation analysis with other attacks (incidents) of the Kimsuky group was conducted.

In the course of tracking AppleSeed, an attacker's mistake (OPSEC fail) was discovered in addition to the previously disclosed content.

And in this process, we expected to share information about the "mobile version of AppleSeed" and server-side scripts (which have not been disclosed) to understand and analyse the communication method and server configuration method.

In this presentation, we intend to provide threat intelligence related to the Kimsuky group by sharing previously unknown details.

Got a question about this presentation? To get in touch with the speakers, contact Jaeki Kim by email on [email protected] or on Twitter at @2runjack2.

Jaeki Kim

S2W

Jaeki Kim is a principal researcher at TALON, S2W. He graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree from Korea University's Security Analysis and Evaluation Lab. Before joining the S2W, he worked as part of the Computer Emergency Analysis Team of the Financial Security Institute and was the main author of "Campaign DOKKAEBI: Documents of Korean and Evil Binary", published by FSI in 2018. In 2020, He joined S2W and is currently working in TALON (the Cyber Threat Intelligence Group), and now also works as a mentor for KITRI's BoB program. He has previously presented at Virus Bulletin (2018,2019) and ISCR (International Symposium on Cybercrime Response).

Sojun Ryu

S2W

Sojun Ryu graduated from the 'Next Generation of Top Security Leader Program' (Best of Best, BoB) at the Korea Information Technology Institute (KITRI) in 2013, and holds a Master's degree in information security from Sungkyunkwan University in Korea. Sojun worked at KrCERT/CC for seven years, analysing malware and responding to incidents, and is one of the authors of "Operation Bookcodes" published by KrCERT/CC in 2020. Recently, Sojun has been focusing on threat intelligence by expanding to DDW and cybercrime as well as APT at TALON, S2W.

Kyoung-ju Kwak

S2W

Kyoung-ju Kwak is a director at TALON, CTI Group of S2W. Kyoung-ju currently works on threat intelligence. Kyoung-ju was previously Adjunct Professor at Sungkyunkwan University and audited the National SCADA system and the Ministry of Land with “the Board of Audit and Inspection of Korea” as an Auditor General in 2016. He currently acts as a member of the National Police Agency Cybercrime Advisory Committee. Kyoung-ju is the main author of the threat intelligence report “Campaign Rifle: Andariel, the Maiden of Anguish”, published in 2017. He has spoken at various international conferences such as BlackHat Europe, BlackHat Asia, Kaspersky SAS, HITCON, PACSEC, and more.