Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

North Korean APT Group Kimsuky Shifting Attack Tactics

Kimsuky Focuses on Exfiltration in Latest Campaign
North Korean APT Group Kimsuky Shifting Attack Tactics
North Korean Supreme Leader Kim Jong Un in a ballistic missile facility on March 28, 2023 (Image: KCNA)

North Korean hackers are using custom-built malware for information exfiltration campaigns against organizations that support human rights activists and North Korean defectors.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Cybersecurity firm SentinelOne wrote in a Tuesday blog post that the North Korean advanced persistent threat group Kimsuky is distributing a new variant of the RandomQuery malware that's been a staple of the Pyongyang threat actor. Kimsuky specializes in targeting think tanks and journalists.

The findings came the same day the U.S. government sanctioned four entities and one individual involved in funneling payments from malicious activities to support the North Korean government's illicit activities (see: US Sanctions North Korean Entities for Sending Regime Funds).

Kimsuky is distributing the malware using compiled HTML files - compressed HTML documents primarily used in software documentation. Delivering malware through Microsoft Compiled HTML Help, or CHM, files is a tactic commonly employed by the North Korean threat actor.

The variation of RandomQuery in this campaign has the "single objective of file enumeration and information exfiltration," in contrast to recently observed North Korean use of the malware to support a wider array of functions such as keylogging and the execution of additional malware.

The initial attack vector is phishing emails written in Korean sent from accounts registered at the South Korean email provider Daum. The lure document uncovered by the researchers is a CHM file stored in a password-protected archive titled "Difficulties in activities of North Korean human rights organizations and measures to vitalize them."

This campaign is also tied to infrastructure that uses lesser-used top-level domains such as .space, .asia, .click and .online.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.