The North Korean Kimsuky hacking group has been observed employing a new version of its reconnaissance malware, now called ‘ReconShark,’ in a cyberespionage campaign with a global reach.
Sentinel Labs reports that the threat actor has expanded its targeting scope, now targeting government organizations, research centers, universities, and think tanks in the United States, Europe, and Asia.
In March 2023, South Korean and German authorities warned that Kimsuky, also known as Thallium and Velvet Chollima, began spreading malicious Chrome extensions that targeted Gmail accounts and an Android spyware that served as a remote access trojan.
Previously, in August 2022, Kaspersky revealed another Kimsuky campaign targeting politicians, diplomats, university professors, and journalists in South Korea using a multi-stage target validation scheme that ensured only valid targets would be infected with malicious payloads.
Kimsuky leverages well-crafted and personalized spear-phishing emails to infect its targets with the ReconShark malware, a tactic seen in all previous campaigns of the threat group.
These emails contain a link to a malicious password-protected document hosted on Microsoft OneDrive to minimize the chances of raising any alarms on email security tools.
When the target opens the downloaded document and enables macros as instructed, the embedded ReconShark malware is activated.
The malicious document used in a Kimsuky attack (Sentinel Labs)
After Microsoft disabled macros by default on downloaded Office documents, most threat actors switched to new file types for phishing attacks, such as ISO files, and more recently, OneNote documents.
“The attackers are likely looking for easy wins against outdated versions of Office or simply users enabling macros,” Tom Hegel, Sr. Threat Researcher at SentinelLabs, told BleepingComputer.
“Kimsuky is not being too innovative here — especially since they are still evolving the BabyShark malware family.”
ReconShark is considered by Sentinel Labs analysts an evolution of Kimsuky’s ‘BabyShark’ malware, which was also seen deployed by APT43, an overlapping North Korean cyberespionage group targeting U.S. organizations.
ReconShark abuses WMI to collect information about the infected system, like the running processes, battery data, etc.
It also checks if security software runs on the machine, with Sentinel Labs mentioning specific checks for Kaspersky, Malwarebytes, Trend Micro, and Norton Security products.
Checking for security tool processes (Sentinel Labs)
The exfiltration of the reconnaissance data is direct, with the malware sending everything to the C2 server via HTTP POST requests without storing anything locally.
“The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses,” warned SentinelOne.
Another capability of ReconShark is to fetch additional payloads from the C2, which can give Kimsuky a better foothold on the infected system.
“In addition to exfiltrating information, ReconShark deploys further payloads in a multi-stage manner that are implemented as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files,” reads the Sentinel Labs report.
“ReconShark decides what payloads to deploy depending on what detection mechanism processes run on infected machines.”
The payload deployment stage involves editing Windows shortcut files (LNK) associated with popular applications like Chrome, Outlook, Firefox, or Edge to execute the malware when the user launches one of those apps.
ReconShark edits shortcut files (Sentinel Labs)
An alternative method is to replace the default Microsoft Office template, Normal.dotm, with a malicious version hosted on the C2 server to load malicious code whenever the user launches Microsoft Word.
Loading a malicious Office template (Sentinel Labs)
Both techniques offer a stealthy way to infiltrate deeper into the targeted system, maintain persistence, and execute additional payloads or commands as part of the threat actor’s multi-stage attack.
Kimsuky’s level of sophistication and shape-shifting tactics blur the line that separates its operation from other North Korean groups that conduct broader campaigns, and call for heightened vigilance.
- EndangeredPootisBird – 4 days ago
“After Microsoft disabled macros by default on downloaded Office documents, most threat actors switched to new file types for phishing attacks, such as ISO files, and more recently, OneNote documents.” has a duplicate below the document image.
- johnlsenchak – 4 days ago
North Korea’s main connection to the international Internet is through a fiber-optic cable connecting Pyongyang with Dandong, China, crossing the China–North Korea border at Sinuiju. Internet access is provided by China Unicom. Before the fiber connection, international Internet access was limited to government-approved dial-up over land lines to China. In 2003 a joint venture between businessman Jan Holterman in Berlin and the North Korean government called KCC Europe brought the commercial Internet to North Korea. The connection was established through an Intelsat satellite link from North Korea to servers located in Germany. This link ended the need to dial ISPs in China
As of February 2023 North Korea has four IPv4 subnets, of which three are announced by AS131279, named “Ryugyong-dong”. The subnets are:
AS131279 – Ryugyong-dong
Country North Korea
Hosted domains 13
Number of IPs 1,024
Version: 4.5.27 4M+ Downloads
Version: 184.108.40.206 56M+ Downloads
Windows Repair (All In One)
Version: 4.13.1 2M+ Downloads
Everything Desktop Search
Version: 220.127.116.117 22,833 Downloads
Zemana AntiLogger Free
Version: 18.104.22.1680 53,820 Downloads