North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware
The North Korean advanced threat group (APT) known as Kimsuky it has been observed using a specialized malware called RandomQuery as part of a reconnaissance and information exfiltration operation.
“Recently, Kimsuky has been consistently distributing custom malware as part of a reconnaissance campaign to enable later attacks,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.
The ongoing targeted campaign, according to the cybersecurity firm, is primarily aimed at information services as well as organizations supporting human rights activists and North Korean defectors.
Kimsuky, active since 2012, has demonstrated targeting patterns that align with North Korea’s operational mandate and priorities.
Intelligence gathering missions have involved the use of a variety of malware, including another reconnaissance program called ReconShark, as detailed by SentinelOne earlier this month.
The most recent activity cluster associated with the group started on May 5, 2023, and leverages a variant of RandomQuery specifically designed for enumerating files and ingesting sensitive data.
RandomQuery, along with FlowerPower and AppleSeed, are among them most often distributed tools in Kimsuky’s arsenal, with the former serving as both an information stealer and a conduit for distributing remote access trojans such as TutRAT and xRAT.
The attacks began with phishing emails purporting to be from Daily NK, a leading Seoul-based online publication covering North Korean affairs, to entice potential targets to open a Microsoft Compiled HTML Help (CHM) file.
It should be noted at this stage that the CHM has also been adopted as a lure by another North Korean nation-state actor referred to as ScarCruft.
Launching a CHM file leads to the execution of a Visual Basic Script which issues an HTTP GET request to the remote server to retrieve the second stage payload, VBScript type of RandomQuery.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
The malware then proceeds to harvest system metadata, running processes, installed applications, and files from different folders, all of which are sent back to the command-and-control (C2) server.
“The campaign also demonstrates the group’s consistent approach to delivering malware via CHM files,” the researchers said.
“This incident underscores the ever-changing landscape of North Korean threat groups, whose powers include not only political espionage but also sabotage and financial threats.”
The findings arrived days after the AhnLab Security Emergency Response Center (ASEC) uncovered the waterhole attack carried out by Kimsuky required setting up a web-email system similar to that used by the national policy research institute to retrieve credentials entered by victims.
In a related development, Kimsuky has also related to attacks which armed vulnerable Windows Internet Information Services (IIS) servers to terminate the post-exploit Metasploit Meterpreter framework, which was then used to spread Go-based proxy malware.
