Contents:
Kimsuky, the notorious North Korean nation-state threat actor, has been linked to a social engineering campaign targeting experts on North Korean affairs in order to steal Google credentials and deliver reconnaissance malware.
Using spoofed URLs, websites imitating legitimate web platforms, and Office documents weaponized with ReconShark malware, Kimsuky engages in extensive email correspondence. The activity shows the APT`s dedication to social engineering and the group’s increasing interest in gathering strategic intelligence.
Detailed View
SentinelLabs has been tracking a targeted social engineering campaign against non-government experts in North Korean affairs in collaboration with NK News, a popular subscription-based service that provides news and analyses about North Korea.
Kimsuky’s objective extends to the theft of subscription credentials from NK News. To achieve this, the group distributes emails that lure targeted individuals to log in on the malicious website nknews[.]pro, which masquerades as the authentic NK News site. The login form that is presented to the target is designed to capture entered credentials.
The revelation emerges in the wake of a recent alert from intelligence agencies in the United States and South Korea, cautioning about Kimsuky’s employment of social engineering strategies to target think tanks, academia, and news media sectors.
Additionally, Kimsuky distributes password-protected weaponized Office documents that deploy ReconShark reconnaissance malware during conversations with targeted individuals. In order to conduct subsequent precision attacks, ReconShark exfiltrates information related to detection mechanisms and hardware.
About Kimsuky and ReconShark
Kimsuky (also known as Velvet Chollima, Thallium, or TA406) is a state-sponsored cybercrime organization based in North Korea. Active since at least 2012, Kimsuky is known for its spear-phishing tactics and its attempts to establish trust and rapport with intended targets, with the sole purpose of gathering strategic intelligence, geopolitical insights, and access sensitive information that are of value to North Korea.
ReconShark is an advanced version of the BabyShark malware associated with Kimsuky. ReconShark employs WMI (Windows Management Instrumentation) as a means to gather various data from compromised machines. This includes information on running processes, battery status, and other relevant details. Additionally, ReconShark possesses the capability to detect the presence of any security software running on the infected system.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.