North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware

VTA-00442 – North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware


SentinelLabs recently observed an ongoing campaign carried out by Kimsuky, a North Korean APT group. The targets of this campaign include North Korea-focused information services, human rights activists, and organizations supporting DPRK defectors. The main objective of the campaign is to conduct file reconnaissance and exfiltrate information using a variant of the RandomQuery malware, which enables precise subsequent attacks. 

To spread the malware, Kimsuky makes use of specially crafted phishing emails to deploy RandomQuery a utilizes Microsoft Compiled HTML Help (CHM) files. The phishing emails are sent to targets from an account registered at the South Korean email provider Daum, a standard Kimsuky phishing practice to request the recipient to review an attached document to lure the victims to click on the malicious shortcut object.

Severity:
Medium

Attack Surfaces:
Email

Tactics:
Collection, Credential Access, Defense Evasion, Discovery, Persistence, Privilege Escalation

Techniques:
T1547 – Boot or Logon Autostart Execution,
T1036 – Masquerading,
T1082 – System Information Discovery,
T1115 – Clipboard Data,
T1056 – Input Capture

Indicator of Compromise:
https://otx.alienvault.com/pulse/646cda68d4a18bba1b9f8d81

SuperPRO’s Threat Countermeasures Procedures: 
1. Add the IOC signature into endpoint security protection as the custom threat detection rules.
2. Ensure that all endpoints are protected by an antivirus and antimalware software that is kept up-to-date with the latest signatures.
3. Perform regular backups.
4. Raise the awareness of phishing attempts.

Contributed by:  ZheAn

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>