A North Korean government-backed APT group known as Kimsuky has been observed using a new malware component called ReconShark.
According to an advisory released Thursday by security researchers at SentinelOne, ReconShark is distributed via targeted spear-phishing emails containing OneDrive links leading to document downloads and malicious macros enabled.
“Spear phishing emails are crafted with a level of design quality tailored to specific individuals, making them more likely to be opened by their targets. and looks legitimate to an unsuspecting user,” explain Tom Hegel and Aleksandar Milenkoski of SentinelOne.
“Of note, the targeted emails containing links to download the malicious documents and the malicious documents themselves were named after real individuals with expertise related to the decoy subject, such as political scientists. is abusing the
The Microsoft Office macro is triggered when the document is closed and performs a more sophisticated version of the reconnaissance functionality found in Kimsuky’s BabyShark malware.
“ReconShark’s ability to steal valuable information, such as deployed detection mechanisms and hardware information, could be used by ReconShark to evade defenses and subsequently scrutinize malware, including malware specifically tailored to exploit platform weaknesses. It indicates that it is part of a reconnaissance operation orchestrated by Kimsuky to enable the attack.” reads the advisory.
Read more about Kimsuky here: North Korean hackers impersonate researchers to steal Intel
ReconShark does not save collected information to the file system, unlike previous variants. Instead, the malware keeps the data in string variables and sends it via HTTP POST requests to the command and control (C2) server. ReconShark can also install additional payloads such as scripts and her DLL files based on detection mechanism processes found on infected machines.
Hegel and Milenkoski further explained that the group’s recent campaigns focus on global issues and reach a global audience.
“For example, Kimsky’s recent campaign focused on the nuclear issue between China and North Korea in relation to the ongoing war between Russia and Ukraine,” read the technical article.
The SentinelOne team recently became aware of a campaign targeting employees of the Korea Risk Group (KRG). KRG is a company that specializes in analyzing issues that directly or indirectly affect the Democratic People’s Republic of Korea (DPRK).
Hegel and Milenkoski said, “We have determined that the same campaigns continue to be used to target other organizations and individuals, including think tanks, research universities and government agencies, at least in the United States, Europe and Asia. ” warns.
SentinelOne’s advisory comes weeks after Mandiant revealed a new North Korean APT group that may be linked to Kimsuky.
