Threat actors are always looking for new tricks and tactics to access systems, and the North Korean Kimsuky hacking group is no different. Their latest cyberespionage campaign, officially dubbed "ReconShark," is being used by the group to target a global audience of governments, research centers, universities, and think tanks.
Kimsuky Collaborates with APT43 to Create Sophisticated Malware
The sophisticated malware is an evolution of the group's BabyShark malware, and Kimsuky has teamed up with another North Korean cyber espionage group, APT43, to spread the malicious software.
According to the story by Bleeping Computer, the campaign begins with deploying malicious Chrome extensions or Android spyware that serves as a Remote Access Trojan to target Gmail users and government-related personnel.
The malware then abuses WMI to collect vital system information, such as the running processes and battery data. It even checks if popular security products such as Kaspersky, Malwarebytes, Trend Micro, and Norton Security are running on the machine.
Once the information has been gathered, it is exfiltrated directly to a command and control server via HTTP POST requests. This technique offers stealthy infiltration since the malware is never stored locally.
Kimsuky and BabyShark: Deployment of Additional Payloads to Amplify the Attack
ReconShark can also fetch additional payloads from the command and control server in a multi-stage manner implemented as scripts, macro-enabled Microsoft Office templates, or Windows DLL files, as explained further in an article by Sentinel Labs.
It can also manipulate Windows shortcut files associated with popular applications to execute the malware automatically when these applications are launched. Another technique used by the malware is to replace the default Microsoft Office template, Normal.dotm, with a malicious version.
Even with the awareness of potential cyber threats, threat actors like Kimsuky still manage to penetrate and steal data from systems worldwide. Security specialists highly recommend keeping up with the latest cyber threats and ensuring that the latest security software is installed on computers and networks to prevent the malicious actions of Kimsuky and other cybercriminal groups.
In an effort to amplify its attack, Kimsuky also has the ability to deploy further payloads as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files. NK News described how the hackers use the BabyShark variant to target journalists and experts.
Read Also: Dallas Computer Ransomware Attack Causes Some Jury Trials to be Canceled
Keeping Ahead of Kimsuky: Raising Awareness on the North Korean Cyber-Espionage Group
This completes the second stage of the attack by either replacing the default Microsoft Office template with a malicious version or editing Windows shortcut files to execute malicious code when running popular applications like Chrome, Outlook, Firefox, or Edge.
Kimsuky's level of sophistication and shape-shifting tactics show the careful craftsmanship and practice the North Korean threat actor puts into its campaigns.
With the number of high-profile institutions now in the crosshairs of the cyber-espionage group, governments, organizations, and individuals must remain extra vigilant not to fall victim to the same fate. This means maintaining system and software updates, setting strong passwords, and deploying detection measures as part of your defense strategy.
Related Article: Markets Watchdog Launches Inquiry into AI's Impact on UK Consumers, Economy