North Korea’s Advanced Persistent Threats (APT) group known as Kimski It has been observed using custom malware called RandomQuery as part of reconnaissance and information exfiltration operations.
“Recently, Kimsuky has consistently distributed custom malware as part of reconnaissance campaigns to enable subsequent attacks,” SentinelOne researchers Alexandar Milenkoski and Tom Hegel said in a report released today. Stated.
According to the cybersecurity firm, the ongoing targeted campaign mainly targets information services and organizations that support human rights activists and North Korean defectors.
Kimsky has been active since 2012 and has a track record of attacking organizations and individuals of strategic importance to North Korea.
As SentinelOne detailed earlier this month, intelligence-gathering missions have recently included the use of another reconnaissance tool called ReconShark.
The latest activity cluster associated with this group started on May 5, 2023 and leverages a variant of RandomQuery specifically designed to enumerate files and siphon sensitive data.
RandomQuery is one of the most frequently distributed tools in Kimsuky’s arsenal, along with FflowerPower and AppleSeed, the former as a vehicle for information theft and for distributing remote access Trojans such as TutRAT and xRAT. act as pathways.
The attack began with a phishing email purporting to be from The Daily NK, a prominent Seoul-based online publication on North Korea issues, enticing potential targets to open a Microsoft Compiled HTML Help (CHM) file. .
What is notable at this stage is that the CHM file has been adopted as a decoy by another North Korean nation-state actor called ScarCruft.
Upon launching the CHM file, a Visual Basic script runs and issues an HTTP GET request to the remote server to retrieve the second stage payload, which is a VBScript form of RandomQuery.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
The malware then starts collecting system metadata, running processes, installed applications, and files from various folders, all of which are sent to a command and control (C2) server.
“This campaign also demonstrates the group’s consistent approach of distributing malware through CHM files,” said the researchers.
“These incidents highlight the ever-changing landscape of North Korean threat groups, whose mission includes not only political espionage but also sabotage and financial threats.”
The findings of the Kimski watering hole attack involved the Ahnlab Security Emergency Response Center (ASEC) setting up a similar webmail system used by national policy research agencies to collect victim-entered credentials. Arrived a few days after discovering
In a related deployment, Kimsuky also armed itself with vulnerable Windows Internet Information Services (IIS) servers to drop the Metasploit Meterpreter post-exploitation framework and attacks used to deploy Go-based proxy malware. presumed to be related.
