N. Kimsuky Korean Hacker Uses ReconShark’s New Recon Tool in Latest Cyber Attack
North Korea’s state-sponsored threat actors are known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign.
“(ReconShark) is actively being sent to specifically targeted individuals via spear-phishing emails, OneDrive links leading to document downloads, and malicious macro executions,” SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said.
Kimsuky is also known under the names APT43, ARCHIPELAGO, Black Banshee, Nickel Kimball, Emerald Sleet (formerly Thallium), and Velvet Chollima.
Active since at least 2012, the productive Threat actors have been linked to targeted attacks on non-governmental organizations (NGOs), think tanks, diplomatic institutions, military organizations, economic groups, and research entities across North America, Asia, and Europe.
The latest intrusion set documented by SentinelOne leverages the geopolitical theme of North Korea’s nuclear proliferation to activate the infection sequence.
“Notably, spear-phishing emails were created with a level of design quality tailored to a specific individual, increasing the likelihood of being opened by the target,” the researchers said. “This includes proper formatting, grammar, and visual cues, appearing legitimate to the unsuspecting user.”
These messages contain links to booby-trapped Microsoft Word documents hosted on OneDrive to deploy ReconShark, which primarily functions as a reconnaissance tool to execute instructions sent from actor-controlled servers. It is also an evolution of the BabyShark malware suite of threat actors.
“It extracts system information to server C2, maintains persistence on the system, and awaits further instructions from the operator,” Palo Alto Networks Unit 42 said in its analysis of BabyShark in February 2019.
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
ReconShark was specifically designed to extract details about running processes, applied detection mechanisms, and hardware information, indicating that the data collected from the tool is used to perform “precision attacks” involving malware that is tailored to the targeted environment by evading detection. .
The malware is also capable of spreading additional payload from servers based on “what detection mechanism processes are running on the infected machine.”
These findings add to growing evidence that threat actors actively change tactics to gain a foothold on compromised hosts, build persistence, and silently gather intelligence over long periods of time.
“Kimsuky’s continued attacks and use of a new reconnaissance tool, ReconShark, highlight the evolving nature of North Korea’s threat landscape,” SentinelOne said.
