Contents:
Kimsuky, a North Korean hacking group, has been observed employing a new version of its reconnaissance malware called “ReconShark” in a cyberespionage campaign with global reach.
According to security analysts, the threat actor has broadened the range of targets it is now attacking, including government agencies, research institutions, universities, and think tanks in the United States, Europe, and Asia.
Also known as Thallium and Velvet Chollima, the threat group started disseminating malicious Chrome extensions targeting Gmail accounts and an Android spyware that served as a remote access trojan, as reported by German and South Korean authorities in March 2023. Previously, in August 2022, the threat actors were undergoing another campaign targeting diplomats, university professors, and journalists in South Korea by using a multi-stage target validation scheme, which made sure only valid targets would be infected with malicious payloads.
Personalized Phishing Emails Wreak Havoc
As in all of the threat group’s prior campaigns, Kimsuky uses expertly crafted and personalized spear-phishing emails to infect its targets with the ReconShark malware. To reduce the possibility of setting off any warnings on email security systems, these emails include a link to a malicious password-protected document housed on Microsoft OneDrive.
When the victim opens the downloaded document and enables macros as instructed, the malware is activated. The majority of threat actors began using new file types for phishing attacks, such as ISO files and, more recently, OneNote documents, when Microsoft disabled macros by default on downloaded Office documents.
What Is ReconShark?
According to security researchers, ReconShark is an evolution of Kimsuky’s BabyShark malware, which was previously seen deployed by other North Korean hacking groups such as APT43 for example, an espionage group targeting U.S. organizations.
ReconShark abuses WMI to collect information such as running processes, battery data, and many others, from the machines it infects. It also has the ability to check if any security software is operating on the machine.
As reported by BleepingComputer, the malware does not save any of the reconnaissance data locally. Instead, it sends everything directly to the C2 server via HTTP POST requests. The malware is also capable of fetching additional payloads from the C2 which can give it a better foothold on the infected system.
Additionally to exfiltrating information, ReconShark deploys further payloads in a multi-stage manner that are implemented as scripts (VBS, HTA, and Windows Batch), macro-enabled MSOffice templates, or Windows DLL files.
In order to have the malware run when a user runs one of the popular apps like Chrome, Outlook, Firefox, or Edge, the payload deployment stage entails modifying Windows shortcut files (LNK). An alternate strategy is to upload a malicious copy of the Normal.dotm template to the C2 server and swap it out for the legitimate one to cause Microsoft Word to always launch with malicious code.
Both strategies give threat actors a covert way to penetrate the targeted system further, stay persistent, and carry out additional payloads or commands as part of a multi-stage attack. Kimsuky’s level of sophistication and shape-shifting tactics call for heightened vigilance.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.