PAEKTUSAN | |
Location | North Korea |
Date of initial activity | 2020 |
Suspected Attribution | State-Sponsored Threat Group |
Government Affiliation | Yes |
Motivation | Cyberwarfare |
Software | Windows |
Overview
PAEKTUSAN, also known by its designation as a North Korean government-backed threat actor, represents a significant player in the cyber espionage landscape, with operations extending globally and a particular focus on high-value targets. Known for its sophisticated and methodical approach, PAEKTUSAN has been active in the cyber realm for several years, primarily engaging in campaigns designed to gather intelligence and exploit sensitive information. This group has garnered attention due to its complex operational tactics and its ability to adapt to evolving security environments.
Operating under the auspices of the North Korean regime, PAEKTUSAN has demonstrated a consistent interest in sectors of strategic importance, including aerospace, defense, and financial services. Their campaigns are characterized by a high degree of precision, leveraging various social engineering techniques and technical exploits to infiltrate target systems. The group’s activity often involves phishing schemes that use carefully crafted lures to deceive recipients into divulging confidential information or installing malicious software. This method of operation highlights PAEKTUSAN’s reliance on both human psychology and technical prowess to achieve its objectives.
PAEKTUSAN’s operations are not limited to traditional espionage targets but extend into areas such as recruitment and job-related scams. The group has been known to create fake job postings and employment offers to entice individuals into downloading and executing malicious payloads. This tactic is part of a broader strategy to gain unauthorized access to valuable data, which can be used for further espionage or to destabilize target organizations. The group’s ability to blend into legitimate communication channels underscores the sophistication of its operations and its capacity to evade detection.
Common targets
Brazil- Public Administration
Finance and Insurance
Information
Attack vectors
Phishing
How they operate
Initial Access and Execution
PAEKTUSAN often begins its attacks through meticulously crafted phishing campaigns. These phishing attempts typically involve spear-phishing emails with malicious attachments or links designed to exploit vulnerabilities in the victim’s system. Once a target interacts with these deceptive messages, the threat actor can deliver malware, often leveraging malicious files or documents embedded with macros. This approach allows PAEKTUSAN to exploit command and scripting interpreters, such as PowerShell or command-line interfaces, to execute further commands on compromised systems. The use of these techniques facilitates a seamless execution process, enabling the threat actor to gain control over the victim’s environment quickly.
Persistence and Privilege Escalation
Maintaining a foothold within the compromised network is crucial for PAEKTUSAN, and they employ various persistence mechanisms to achieve this. One common method involves modifying registry run keys or startup folders, ensuring that their malware persists even after system reboots. Additionally, PAEKTUSAN may use scheduled tasks or jobs to automate the execution of malicious code at predetermined intervals. For privilege escalation, the threat actor exploits known software vulnerabilities to elevate their access rights. This exploitation may involve sophisticated techniques such as access token manipulation, allowing PAEKTUSAN to bypass standard security measures and gain higher-level privileges on the victim’s system.
Defense Evasion and Credential Access
To evade detection, PAEKTUSAN uses several defense evasion techniques. Obfuscation of files and information is a primary method, making it challenging for security solutions to identify and analyze their malware. The group may also employ masquerading techniques to disguise their malicious files or processes as legitimate system components. For credential access, PAEKTUSAN utilizes methods such as credential dumping and keylogging. By dumping credentials from system memory or files, the threat actor can obtain sensitive information necessary for further network infiltration. Keylogging activities also capture user credentials, providing PAEKTUSAN with additional means to access and navigate through the compromised environment.
Discovery, Lateral Movement, and Exfiltration
Once inside the network, PAEKTUSAN conducts thorough discovery operations to map out the environment. Techniques such as system information discovery and network service scanning help them identify valuable targets and potential vulnerabilities. For lateral movement, the threat actor often exploits Remote Desktop Protocol (RDP) and Windows Admin Shares to traverse the network and access additional systems. When it comes to data exfiltration, PAEKTUSAN employs methods such as exfiltration over command and control channels or alternative protocols, ensuring that stolen data is transferred out of the network discreetly. This careful selection of exfiltration techniques highlights the group’s emphasis on maintaining operational security while achieving their espionage objectives.
MITRE Tactics and Techniques
Initial Access
Phishing (T1566): PAEKTUSAN frequently uses phishing campaigns to gain initial access to victim networks. This includes spear-phishing emails with malicious attachments or links.
Drive-by Compromise (T1189): The group may use compromised websites to exploit vulnerabilities in browsers or plugins to deliver malware.
Execution
Command and Scripting Interpreter (T1059): PAEKTUSAN often leverages command-line interfaces and scripting languages to execute malicious commands on compromised systems.
Malicious File (T1203): The use of malicious files, such as documents with embedded macros, to execute malware is common.
Persistence
Registry Run Keys / Start Folder (T1060): PAEKTUSAN may use registry keys or startup folders to maintain persistence on infected systems.
Scheduled Task/Job (T1053): Creating scheduled tasks or jobs to ensure the persistence of malware.
Privilege Escalation
Exploitation for Privilege Escalation (T1068): The group may exploit vulnerabilities in software to gain higher privileges on a system.
Access Token Manipulation (T1134): Techniques to manipulate access tokens to escalate privileges.
Defense Evasion
Obfuscated Files or Information (T1027): PAEKTUSAN uses obfuscation techniques to hide malware and evade detection.
Masquerading (T1036): The group may disguise malicious files or processes to avoid detection.
Credential Access
Credential Dumping (T1003): Techniques for dumping credentials from memory or files to gain access to further systems.
Keylogging (T1056): Utilizing keylogging to capture user credentials.
Discovery
System Information Discovery (T1082): Gathering system information to better understand the environment and identify valuable targets.
Network Service Scanning (T1046): Scanning the network to identify services and potential vulnerabilities.
Lateral Movement
Remote Desktop Protocol (T1076): Using RDP to move laterally across the network.
Windows Admin Shares (T1077): Exploiting administrative shares for lateral movement.
Collection
Data Staged (T1074): Staging data for exfiltration by collecting and aggregating it in a specific location.
Screen Capture (T1113): Capturing screenshots to gather information from the victim’s system.
Exfiltration
Exfiltration Over Command and Control Channel (T1041): Sending stolen data through the same channel used for command and control to avoid detection.
Exfiltration Over Alternative Protocol (T1048): Using non-standard protocols for data exfiltration to evade network monitoring.
Impact
Data Encrypted for Impact (T1486): Encrypting data to disrupt access, though this is more common in other types of attacks, it can be part of PAEKTUSAN’s operations if it aims to destroy or obscure data.