Japan warnt vor Angriffen der nordkoreanischen Kimsuky-Hacker

Teilen:

Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) is warning that Japanese organizations are being targeted in attacks by the North Korean ‘Kimsuky’ threat actors.

The US government has attributed Kimsuky as a North Korean advanced persistent threat (APT) group that conducts attacks against targets worldwide to gather intelligence on topics of interest to the North Korean government.

The threat actors are known to use social engineering and phishing to gain initial access to networks. They then deploy custom malware to steal data and retain persistence on networks.

Japan says Kimsuky attacks were detected earlier this year, and attribution was based on indicators of compromise (IoCs) shared by AhnLab Security Intelligence Center (ASEC) in two separate reports (1, 2).

“JPCERT/CC has confirmed attack activities targeting Japanese organizations by an attack group called Kimsuky in March 2024,” warns the JPCERT.

Starts with phishing

The attackers start their attacks by sending phishing emails impersonating security and diplomatic organizations to targets in Japan, carrying a malicious ZIP attachment.

The ZIP contains an executable that leads to malware infection and two decoy document files. The executable filename also uses many spaces to appear as a document, hiding the “.exe” part.

When executed by the victim, the payload downloads and executes a VBS file and also configures ‘C:\Users\Public\Pictures\desktop.ini.bak’ to start automatically via Wscript.

The VBS file downloads a PowerShell script to collect information, such as process lists, network details, file lists from folders (Downloads, Documents, Desktop), and user account information. This information is then sent to a remote URL under the control of the attackers.

This collected information helps Kimsuky determine if the infected device is a legitimate user machine or an analysis environment.

Finally, a new VBS file is created and executed to download a PowerShell script that logs keystrokes and clipboard information, which is then sent to the attackers.

The information collected by the keylogger could include credentials allowing the threat actors to spread further into the organization’s systems and applications.

Latest Kimsuky attacks

In May 2024, ASEC discovered Kimsuky was distributing a CHM malware strain in Korea. The malware had previously been spread in various formats, including LNK, DOC, and OneNote.

The attack flow involves executing a Compiled HTML Help (CHM) file that displays a help screen while simultaneously running a malicious script in the background.

This script creates and executes a file in the user’s profile path. The file then connects to an external URL to execute additional malicious Base64-encoded scripts.

These scripts are responsible for exfiltrating user information, creating and registering a malicious script as a service, and performing keylogging.

Compared to past variants, the latest malware samples seen by ASEC analysts employ more sophisticated obfuscation to evade detection.

Given the detected Kimsuky activity in Japan, the country’s CERT underlines the need for organizations to be vigilant against CHM files that can contain executable scripts designed to deliver malware.

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
3:04 am, Juli 11, 2025
Wetter-Symbol 19°C
L: 17° | H: 19°
broken clouds
Luftfeuchtigkeit: 78 %
Druck: 1021 mb
Wind: 5 mph E
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 60%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:56 am
Sonnenuntergang: 9:15 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
17° | 19°°C 0 mm 0% 8 mph 78 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
19° | 30°°C 0 mm 0% 10 mph 66 % 1019 mb 0 mm/h
So. Juli 13 10:00 pm
Wetter-Symbol
18° | 30°°C 0 mm 0% 7 mph 71 % 1015 mb 0 mm/h
Mo. Juli 14 10:00 pm
Wetter-Symbol
18° | 28°°C 1 mm 100% 15 mph 84 % 1016 mb 0 mm/h
Di. Juli 15 10:00 pm
Wetter-Symbol
14° | 20°°C 1 mm 100% 14 mph 81 % 1017 mb 0 mm/h
Today 4:00 am
Wetter-Symbol
16° | 19°°C 0 mm 0% 3 mph 78 % 1021 mb 0 mm/h
Today 7:00 am
Wetter-Symbol
19° | 19°°C 0 mm 0% 2 mph 74 % 1021 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
24° | 27°°C 0 mm 0% 2 mph 56 % 1021 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
30° | 30°°C 0 mm 0% 3 mph 32 % 1020 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
32° | 32°°C 0 mm 0% 4 mph 26 % 1018 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
21° | 21°°C 0 mm 0% 5 mph 57 % 1019 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€99,071.86
4.18%
Ethereum(ETH)
€2,523.83
6.33%
Fesseln(USDT)
€0.85
-0.02%
XRP(XRP)
€2.18
4.85%
Solana(SOL)
€140.30
3.86%
USDC(USDC)
€0.85
-0.01%
Dogecoin(DOGE)
€0.167233
8.10%
Shiba Inu(SHIB)
€0.000011
8.25%
Pepe(PEPE)
€0.000010
13.31%
Peanut das Eichhörnchen(PNUT)
€0.245548
22.13%
Nach oben scrollen