VTA-00442 – North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware
SentinelLabs recently observed an ongoing campaign carried out by Kimsuky, a North Korean APT group. The targets of this campaign include North Korea-focused information services, human rights activists, and organizations supporting DPRK defectors. The main objective of the campaign is to conduct file reconnaissance and exfiltrate information using a variant of the RandomQuery malware, which enables precise subsequent attacks.
To spread the malware, Kimsuky makes use of specially crafted phishing emails to deploy RandomQuery a utilizes Microsoft Compiled HTML Help (CHM) files. The phishing emails are sent to targets from an account registered at the South Korean email provider Daum, a standard Kimsuky phishing practice to request the recipient to review an attached document to lure the victims to click on the malicious shortcut object.
Collection, Credential Access, Defense Evasion, Discovery, Persistence, Privilege Escalation
T1547 – Boot or Logon Autostart Execution,
T1036 – Masquerading,
T1082 – System Information Discovery,
T1115 – Clipboard Data,
T1056 – Input Capture
Indicator of Compromise:
SuperPRO’s Threat Countermeasures Procedures:
1. Add the IOC signature into endpoint security protection as the custom threat detection rules.
2. Ensure that all endpoints are protected by an antivirus and antimalware software that is kept up-to-date with the latest signatures.
3. Perform regular backups.
4. Raise the awareness of phishing attempts.
Contributed by: ZheAn