North Korean state-sponsored threat actor known as Kimski It was discovered using a new reconnaissance tool called scout shark As part of an ongoing global campaign.
“[ReconShark] It is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links that lead to document downloads, and malicious macro executions,” said SentinelOne researchers Tom Hegel and Aleksandar Milenkoski. says.
Kimsuky is also known as APT43, ARCHIPELAGO, Black Banshee, Nickel Kimball, Emerald Sleet (formerly Thallium), and Velvet Chollima.
Active since at least 2012, this prolific attacker has been involved in targeted attacks against non-governmental organizations (NGOs), think tanks, diplomatic institutions, military organizations, economic organizations, and research institutions in North America, Asia, and Europe. increase.
The latest intrusion set documented by SentinelOne utilizes geopolitical themes related to North Korea’s nuclear proliferation to revitalize the infection sequence.
“Specifically, spear phishing emails are created with a level of design quality that is tailored to specific individuals, making them more likely to be opened by their targets,” said the researchers. “This includes proper formatting, grammar, and visual cues to make it look legitimate to an unsuspecting user.”
These messages involved booby-trapped Microsoft Word documents hosted on OneDrive in order to deploy ReconShark, which primarily acts as a reconnaissance tool to execute instructions sent from attacker-controlled servers. contains a link to It is also an evolution of the attacker’s BabyShark malware toolset.
Palo Alto Networks Unit 42 said in a February 2019 BabyShark analysis:
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
ReconShark is specifically designed to steal details about running processes, detection mechanisms deployed, and hardware information, and the data collected from the tool is tailored to the target’s environment in a way that evades detection. suggesting that it is used to carry out “precision attacks” involving malware that has been tailored to
The malware is also able to deploy additional payloads from the server based on “detection mechanism processes running on the infected machine”.
The findings add to the evidence that threat actors are actively changing their tactics to gain footholds on compromised hosts, establish persistence, and covertly gather information over time. increase.
“Kimsuky’s ongoing attacks and use of a new reconnaissance tool, ReconShark, highlight the evolving nature of the North Korean threat environment,” SentinelOne said.
