North Korea-related threat actor known as kimski (also known as Black Banshee, Emerald Sleet, or Springtail) has been observed changing tactics, leveraging compiled HTML Help (CHM) files as a vector for distributing malware to collect sensitive data. .
Kimsuky has been active since at least 2012 and is known to target organizations in South Korea as well as North America, Asia, and Europe.
According to Rapid7, the attack chain leverages weaponized Microsoft Office documents, ISO files, Windows Shortcut (LNK) files, and the group also uses CHM files to deploy malware on compromised hosts. .
The cybersecurity firm attributed the activity to Mr. Kimski with some confidence, citing similar fraudulent activity observed in the past.
“CHM files were originally designed for help documentation, but because they can execute JavaScript when opened, they have also been used for malicious purposes such as distributing malware,” the company said.
CHM files are propagated within an ISO, VHD, ZIP, or RAR file that can be opened and run Visual Basic Script (VBScript) to set persistence and access a remote server for collection and extraction. Get the payload for the next stage responsible for. Confidential data.
Rapid7 explained that the attack is ongoing and targeting organizations based in South Korea. We also identified an alternative infection sequence in which he uses a CHM file as a starting point to drop a batch file to collect information, and a PowerShell script that connects to the C2 server and transfers data.
“The modus operandi and reuse of code and tools indicates that attackers are actively using and refining/reengineering their techniques and tactics to collect information from their victims,” the report said. The book said.
The development comes after Broadcom-owned Symantec revealed that Kimsuky attackers were distributing malware that masqueraded as legitimate public sector applications in South Korea.
“Once the dropper is compromised, the Endoor backdoor malware is installed,” Symantec said. “This threat allows the attacker to collect sensitive information from the victim or install additional malware.”
It is worth noting that Golang-based Endoor, along with Troll Stealer (also known as TrollAgent), was recently introduced in connection with a cyberattack targeting users who downloaded security programs from the website of a South Korean construction association. To do.
The findings also come as part of a United Nations-launched investigation into 58 suspected cyberattacks carried out by North Korean nation-state actors between 2017 and 2023. 3 billion in illegal proceeds to help further develop the nuclear weapons program.
The report states that “massive cyberattacks by hacking groups affiliated with the General Directorate of Reconnaissance are reportedly continuing.'' “The trend is toward targeting defense companies and supply chains, and increasingly sharing infrastructure and tools.”
The Reconnaissance General Bureau (RGB) is North Korea's main foreign intelligence agency and is comprised of a group of widely tracked threats known as the Lazarus Group, its subordinate organizations Andariel and Brunolov, and Kimski.
“Mr. Kimski has also expressed interest in using generative artificial intelligence, including large-scale language models, to code and create phishing emails,” the report added. “Kimsuky was observed using his ChatGPT.”
