Kimsuky, a cyber threat group linked to North Korea and also known as Black Banshee, Emerald Sleet, or Springtail, has been seen altering its strategies. It now uses Compiled HTML Help (CHM) files as a means to deliver malware that collects sensitive data.
Active since 2012, Kimsuky is notorious for targeting organizations in South Korea, North America, Asia, and Europe. Rapid7, a cybersecurity firm, reports that the group has used weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files in its attack chains. Recently, it has also started using CHM files to deploy malware on compromised systems.
Rapid7 attributes this activity to Kimsuky with moderate confidence, based on similarities with past tactics used by the group. CHM files, originally designed for help documentation, can execute JavaScript when opened, making them a potential vector for distributing malware.
The CHM file is typically contained within an ISO, VHD, ZIP, or RAR file. When opened, it executes a Visual Basic Script (VBScript) that establishes persistence and contacts a remote server to download a next-stage payload. This payload is responsible for collecting and exfiltrating sensitive data.
The group’s modus operandi and reuse of code and tools indicate that it is actively refining its techniques and tactics to gather intelligence from its victims.
Rapid7 describes the attacks as ongoing and evolving, primarily targeting South Korean organizations. It has also identified an alternate infection sequence that uses a CHM file to drop batch files that collect information and a PowerShell script to connect to the command and control (C2) server and transfer the data. The group’s modus operandi and reuse of code and tools indicate that it is actively refining its techniques and tactics to gather intelligence from its victims.
In a related development, Symantec, owned by Broadcom, disclosed that Kimsuky actors are distributing malware that impersonates an application from a legitimate Korean public entity. Once a system is compromised, the dropper installs an Endoor backdoor malware, which allows attackers to collect sensitive information or install additional malware.
Notably, the Golang-based Endoor, along with Troll Stealer (also known as TrollAgent), has been recently used in cyberattacks targeting users downloading security programs from a Korean construction-related association’s website.
These findings come amidst a United Nations investigation into 58 suspected cyberattacks carried out by North Korean nation-state actors between 2017 and 2023. These attacks reportedly generated $3 billion in illegal revenues, which were used to further develop North Korea’s nuclear weapons program.
The report states that the high volume of cyberattacks by hacking groups subordinate to the Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence service, has continued. The RGB includes the Lazarus Group and its subordinate elements, Andariel and BlueNoroff, as well as Kimsuky.
Interestingly, Kimsuky has shown interest in using generative artificial intelligence, including large language models, potentially for coding or writing phishing emails. The group has been observed using ChatGPT.
In my opinion, the shift in tactics by groups like Kimsuky underscores the evolving nature of cyber threats. It highlights the need for constant vigilance and adaptive cybersecurity strategies to counter these threats effectively.
Comments are closed