To catch a Banshee: how Kimsuky’s tradecraft betrays its complementary campaigns and mission

Sveva Vittoria Scenarelli (PwC)
live only
18:15 UTC on Day 1
WEDNESDAY 30 SEPTEMBER
No little amount of digital ink has been spilled to expose the operations of Black Banshee (a.k.a. Kimsuky), a long-running North Korea-based advanced persistent threat active since at least 2012. Throughout 2019 and 2020, Black Banshee has ramped up its targeting, both in terms of the number of attacks and its victims across the government, defence, education and media sectors. All the while, Black Banshee’s tools and tradecraft have evolved and diversified across different operations. Numerous reports have highlighted specific parts of Black Banshee’s activity – be it the BabyShark campaign, or Black Banshee’s new AppleSeed (a.k.a. AutoUpdate) malware.

But how do Black Banshee’s tools, infrastructure, targeting and strategic objectives intersect? How do they connect Black Banshee’s campaigns in a tight-knight web of activity? And what function do Black Banshee’s multiple, contemporary, interconnected campaigns perform, in the wider landscape of North Korea-based cyber threats?

This presentation aims to offer a more comprehensive and higher-level understanding of Black Banshee’s TTPs and mission by answering the questions above – and to highlight how Black Banshee’s campaigns work in complementary ways to achieve strategic objectives in line with the national interests of North Korea. Attendees will also come away with a summary of what we know of Black Banshee’s recent and latest malware (such as the AppleSeed backdoor and the PowerShell victim fingerprinting tool FlowerPower), as well as of the threat actor’s approach to refactoring its tools and introducing new ones. And, they will gain directly actionable intelligence about Black Banshee’s present modus operandi in setting up command-and-control infrastructure, and about how to identify Black Banshee C2 domains and phishing pages – so they can start hunting as soon as the talk is over.
Sveva Vittoria Scenarelli
PwC As a senior analyst in PwC’s Threat Intelligence team, Sveva focuses on tracking advanced persistent threats, connecting international espionage campaigns across time through infrastructure hunting and comparative malware analysis. Sveva will co-present at CONFidence Online 2020 on the Lazarus Group, spoke at CyberThreat 2019 and the Global Undergraduate Awards, and is a SANS Threat Intelligence Lethal Forensicator - but before discovering her passion for reverse-engineering, she used to be in the field of comparative literature, which may explain why she spends inordinate amounts of free time writing essays on cyberpunk literature and culture.
arrow left Back

To catch a Banshee: how Kimsuky’s tradecraft betrays its complementary campaigns and mission

18:15 - 18:45 UTC Wed 30 Sept 2020
Sveva Vittoria Scenarelli (PwC)
No little amount of digital ink has been spilled to expose the operations of Black Banshee (a.k.a. Kimsuky), a long-running North Korea-based advanced persistent threat active since at least 2012. Throughout 2019 and 2020, Black Banshee has ramped up its targeting, both in terms of the number of attacks and its victims across the government, defence, education and media sectors. All the while, Black Banshee’s tools and tradecraft have evolved and diversified across different operations. Numerous reports have highlighted specific parts of Black Banshee’s activity – be it the BabyShark campaign, or Black Banshee’s new AppleSeed (a.k.a. AutoUpdate) malware.

But how do Black Banshee’s tools, infrastructure, targeting and strategic objectives intersect? How do they connect Black Banshee’s campaigns in a tight-knight web of activity? And what function do Black Banshee’s multiple, contemporary, interconnected campaigns perform, in the wider landscape of North Korea-based cyber threats?

This presentation aims to offer a more comprehensive and higher-level understanding of Black Banshee’s TTPs and mission by answering the questions above – and to highlight how Black Banshee’s campaigns work in complementary ways to achieve strategic objectives in line with the national interests of North Korea. Attendees will also come away with a summary of what we know of Black Banshee’s recent and latest malware (such as the AppleSeed backdoor and the PowerShell victim fingerprinting tool FlowerPower), as well as of the threat actor’s approach to refactoring its tools and introducing new ones. And, they will gain directly actionable intelligence about Black Banshee’s present modus operandi in setting up command-and-control infrastructure, and about how to identify Black Banshee C2 domains and phishing pages – so they can start hunting as soon as the talk is over.
Sveva Vittoria Scenarelli
PwC As a senior analyst in PwC’s Threat Intelligence team, Sveva focuses on tracking advanced persistent threats, connecting international espionage campaigns across time through infrastructure hunting and comparative malware analysis. Sveva will co-present at CONFidence Online 2020 on the Lazarus Group, spoke at CyberThreat 2019 and the Global Undergraduate Awards, and is a SANS Threat Intelligence Lethal Forensicator - but before discovering her passion for reverse-engineering, she used to be in the field of comparative literature, which may explain why she spends inordinate amounts of free time writing essays on cyberpunk literature and culture.