For years, we have tracked the espionage threat actor we call Black Banshee (also known in open source as Kimsuky). In 2019, it launched multiple parallel cyber espionage campaigns, from large-scale credential harvesting to narrowly targeted espionage and exfiltration operations.
The foundations for this activity began in August 2018, when we observed Black Banshee setting up a substantial number of domains impersonating organisations across the government, academia, and policy sectors. This formed the basis for multiple spear-phishing and credential harvesting campaigns.
In tracking Black Banshee, we have identified a number of highly characteristic elements of the threat actor’s tools, techniques, and procedures (TTPs). In the two parts of this retrospective look at Black Banshee’s 2019 activity, we will:
Firstly, let us dive into Black Banshee’s mannerisms in setting up its infrastructure. Across 2019, it was possible to tie together different Black Banshee campaigns through the IP addresses used. For example, on numerous occasions command and control domains for Black Banshee malware resolved to IP addresses in following ranges - 185.224.137[.]0/23 and 185.224.138[.]0/23
The address 185.224.137[.]164, for one, has been used since at least December 2018 and up to January 2020 to serve at least 24 malicious Black Banshee domains, including (but not limited to):
It also hosted, between June and November 2019, the domain kakao-check[.]esy[.]es, which served as command and control (C2) for a sample of a new malware family that we call MyDogs – a RAT thought to be unique to Black Banshee, and which was first reported on in open source by AhnLab as part of its analysis on Operation Red Salt.1
Figure 1. 185.224.137[.]164 is an example of an IP that has hosted numerous Black Banshee domains – associated with different campaigns – throughout 2019 and into 2020. Some of these domains are shown here.
Among the domains used by Black Banshee, a few stood out for frequency across its campaigns.
While these domains are available for anyone to use, and not all of their subdomains are malicious, Black Banshee used subdomains on these domains multiple times across different operations. Other North Korea-based threat actors, especially APT37/Reaper, have also made use of some of the same domains (such as hol[.]es4, 890m[.]com5) throughout 2019.
Figure 2. A high-level overview of some of the connections between different 2019 Black Banshee campaigns.
Even where the subdomains’ parent domain was not the same, our analysts noticed a pattern of naming in adversary-registered infrastructure. We saw Black Banshee go down three main routes for domain naming:
Black Banshee was also consistent in the setting up of command and control server-side folders:
In tracking North Korea-based threat actor Black Banshee (also known as Kimsuky), we observed the threat actor display a series of infrastructure set-up habits. These included the use of specific IP ranges to set up actor-controlled command and control domains, the naming conventions used for such domains, and server-side folder names consistently reused by Black Banshee across its C2s.
Such habits and TTPs effectively allowed us to connect multiple campaigns through direct links and similarities in command and control infrastructure.
But that’s not all. Having connected multiple Black Banshee’s operations across 2019, we observed that distinct “clusters” of activity appeared – groups of campaigns and operations tied together by infrastructure links, similar tradecraft, shared indicators, and matching targeting.
In an upcoming blog, we will detail the connections between campaigns found across these clusters and offer strategic insight about their coherence in terms of TTPs and objectives.
1. ‘Security Issue: Analysis Report on Operation Red Salt’, in ‘ASEC Report Vol. 96 Q3 2019’, AhnLab
2. ‘Kimsuky: Tracking the King of the Spear-Phishing’, Jaeki Kim, Kyoung-Ju Kwak, Min-Chang Jang, VirusBulletin (4th October 2019)
3. Commonalities found between APT Groups “Konni” and “Kimsuky”’, EST Security (10th June 2019)
4. CTO-TIB-20181122-01A - Reaper's Hooks
5. CTO-QRT-20190424-01A - NOKKI against Norway
6. ‘Detailed Analysis of Red Eyes Hacking Group’, AhnLab, May 2018