Pierluigi Paganini
May 05, 2023
SentinelOne researchers observed an ongoing campaign from North Korea-linked Kimsuky Group that is using a new malware called ReconShark.
The reconnaissance tool is delivered through spear-phishing emails, OneDrive links leading to document weaponized downloads, and the execution of malicious macros.
Kimsuky cyberespionage group (aka ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013. At the end of October 2020, the US-CERT published a report on Kimusky’s recent activities that provided information on their TTPs and infrastructure.
The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.
In the latest Kimsuky campaign, the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.
The threat actor recently targeted the staff of Korea Risk Group (KRG), the information and analysis firm specializing in matters directly and indirectly impacting the Democratic People’s Republic of Korea (DPRK). SentinelOne reported that the same campaign is still targeting other entities and individuals in at least the United States, Europe, and Asia, including think tanks and universities.
“For the deployment of ReconShark, Kimsuky continues to make use of specially crafted phishing emails. Notably, the spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target. This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users.” reads the analysis published by SentinelOne. “Notably, the targeted emails, which contain links to download malicious documents, and the malicious documents themselves, abuse the names of real individuals whose expertise is relevant to the lure subject such as Political Scientists.”
The spear-phishing messages contains links to weaponized messages hosted on OneDrive that act as a dropper for the ReconShark recon tool. The experts believe the tool is an evolution of the group’s BabyShark malware.
ReconShark allows operators to exfiltrate valuable information form the infected systems, inclusing detection mechanisms and hardware information. This information is previous to conduct subsequent targeted attacks using custom-malware specifically tailored to evade defenses deployed by the victims.
The malware can also install additional payloads from the C2. Experts reported that the attack infrastructure used in this campaigng is hosted on a shared hosting server from NameCheap. SentinelOne already notified the service provider of this malicious activity and recommended takedowns.
“The ongoing attacks from Kimsuky and their use of the new reconnaissance tool, ReconShark, highlight the evolving nature of the North Korean threat landscape. Organizations and individuals need to be aware of the TTPs used by North Korea state-sponsored APTs and take necessary precautions to protect themselves against such attacks.” concludes the security firm that also shared Indicators of Compromise for this campaign. “The link between recent activity and a wider set of previously unknown activity attributed to North Korea underscores the need for continued vigilance and collaboration.”
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Kimsuky)
