North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware

VTA-00442 – North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware

SentinelLabs recently observed an ongoing campaign carried out by Kimsuky, a North Korean APT group. The targets of this campaign include North Korea-focused information services, human rights activists, and organizations supporting DPRK defectors. The main objective of the campaign is to conduct file reconnaissance and exfiltrate information using a variant of the RandomQuery malware, which enables precise subsequent attacks. 

To spread the malware, Kimsuky makes use of specially crafted phishing emails to deploy RandomQuery a utilizes Microsoft Compiled HTML Help (CHM) files. The phishing emails are sent to targets from an account registered at the South Korean email provider Daum, a standard Kimsuky phishing practice to request the recipient to review an attached document to lure the victims to click on the malicious shortcut object.


Attack Surfaces:

Collection, Credential Access, Defense Evasion, Discovery, Persistence, Privilege Escalation

T1547 – Boot or Logon Autostart Execution,
T1036 – Masquerading,
T1082 – System Information Discovery,
T1115 – Clipboard Data,
T1056 – Input Capture

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1. Add the IOC signature into endpoint security protection as the custom threat detection rules.
2. Ensure that all endpoints are protected by an antivirus and antimalware software that is kept up-to-date with the latest signatures.
3. Perform regular backups.
4. Raise the awareness of phishing attempts.

Contributed by:  ZheAn

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>