Kimsuky: North Korean hacker group attacks human rights activists and defectors

Share:

In its latest investigation, SentinelLabs, the research arm of SentinelOne, shed light on a targeted campaign against information services and organizations that support human rights defenders and defectors in North Korea.

The campaign focuses on spying on files and exfiltrating system and hardware information to lay the groundwork for later attacks. Based on the infrastructure used, malware proliferation methods, and implementation, security researchers have a high probability that the campaign was carried out by threat actor Kimsuky.

Advertisement

This is a suspected North Korean APT (Advanced Persistent Threats) group known for targeting organizations and individuals worldwide. The group has been active since at least 2012 and regularly conducts targeted phishing and social engineering campaigns to gather information and gain unauthorized access to sensitive information serving the interests of the North Korean government. Lately, Kimsuky has been tailor-made again and againMalware distributed as part of reconnaissance campaigns to enable subsequent attacks. For example, SentinelLabs recently revealed that the group was distributing ReconShark via macro-enabled Office documents. Recent developments point to a shift towards a variant of the RandomQuery malware whose only goal is information exfiltration. 

Technical background

RandomQuery is a staple in Kimsuky’s arsenal and comes in a variety of flavors. The recently discovered campaign uses a pure VBScript implementation. The malware’s ability to exfiltrate valuable information such as hardware, operating system, and file details points to its central role in the reconnaissance operations that enable tailored attacks. 

For example, the phishing emails, written in Korean, urge recipients to read an attached document allegedly written by Lee Kwang-baek, CEO of Daily NK. Daily NK is a well-known South Korean online news service that reports independently on North Korea, making it an ideal target for threat actors wanting to pose as legitimate. The attached document is a  CHM file stored in a password-protected archive. The document is entitled “Difficulties in the Activities of North Korean Human Rights Organizations and Measures to Stimulate Them” and contains a catalog of problems affecting human rights organizations.

Threat actors have made extensive use of less common top-level domains in their domain registrations. Previous reports from SentinelLabs on Kimsuky’s ReconShark activities have highlighted multiple clusters of malicious domains using the same technique. The latest campaign used the Japan-based domain registration service Onamae for the primary purchase of malicious domains. The conspicuous accumulation of activities started on May 5, 2023 and is still ongoing. 

Conclusion

The incidents underscore the ever-changing landscape of North Korea’s threat groups, whose remit includes not only political espionage, but also sabotage and financial threats. It is important for organizations to understand the TTPs deployed by suspected state-sponsored APTs and take appropriate measures to protect against such attacks. The connection between the recent malicious activities and a broader spectrum of previously undisclosed operations attributed to North Korea underscores the importance of constant vigilance and encouraging cooperation.

 

(c) it-daily

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Nach oben scrollen