BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • a new ReconShark malware can settle in an infected system for a long time

    A North Korean 'scout shark' disguises itself as office documents and attacks on the sly.

    North Korean group Kimsuky was recently discovered to be using a new version of its spyware called "ReconShark" in a new cyber-espionage campaign with global reach.

    According to Sentinel Labs, the attackers have expanded their scope and now attack government organizations, research centers, universities and think tanks in the US, Europe and Asia.

    Kimsuky is a cyber-intruder group from North Korea that has been engaged in cyber-espionage in the interests of their state since 2012. She specializes in collecting information on foreign policy and national security related to the Korean Peninsula, nuclear policy and sanctions. The group targets experts in various fields, think tanks and government organizations in South Korea, the US, Russia, Europe and the UN.

    In March 2023, authorities in South Korea and Germany warned that Kimsuky was distributing malicious extensions for the Chrome browser that targeted Gmail accounts. The methods of criminals are not limited to this and also include Android spyware that acts as a remote access trojan (RAT).

    Back in August 2022, Kaspersky Lab revealed another Kimsuky campaign targeting politicians, diplomats, university professors and journalists in South Korea. At that time, digital villains used a multi-stage target verification scheme to infect only those users who were of interest to them.

    Kimsuky uses well-designed and personalized phishing emails to infect their targets with the ReconShark malware. This technique has also been seen in all of the group's previous malicious operations.

    Phishing emails typically contain a link to a malicious document with a password hosted on Microsoft OneDrive. Placing the file on a third-party cloud storage minimizes the risk of being detected by email security systems. When the target opens the downloaded document and enables macros as instructed, the built-in ReconShark malware is activated.

    ReconShark is the next evolution of "BabyShark" malware, which has also been seen in past campaigns by APT43, another North Korean group targeting organizations in the US.

    ReconShark uses WMI to collect information about the infected system and also checks if security programs are installed on the machine. The malware pays special attention to products of Kaspersky Lab, Malwarebytes, Trend Micro and Norton Security. The transmission of the collected information to the C2 server occurs directly via HTTP POST requests without saving the data locally.

    “ReconShark’s ability to convey valuable information, such as detection mechanisms used and hardware characteristics, indicates that ReconShark is part of Kimsuky’s intelligence operation, which allows subsequent targeted attacks, possibly using malware specially adapted to bypass security and exploit platform vulnerabilities. ," SentinelOne warned.

    Another feature of ReconShark is the download of additional payloads from the attacker's C2 server, which can increase the presence of Kimsuky on the infected system.

    “In addition to transmitting information, ReconShark deploys additional payloads in a multi-stage manner. All of them are usually implemented as scripts (VBS, HTA and Windows Batch), Microsoft Office templates with macros or DLL files. ReconShark itself decides which payloads to deploy depending on which detection engine processes are running on infected machines, ”the Sentinel Labs report says.

    The payload deployment step also includes editing Windows shortcut files associated with popular programs such as Chrome, Outlook, Firefox, or Edge. This method allows cybercriminals to run malware on the victim's computer every time the user launches one of these programs.

    An alternative method of establishing persistence in the system, discovered by experts, is to replace the standard Microsoft Office template "Normal.dotm" with a malicious version hosted on the attackers' C2 server. This allows the malicious code to be activated each time the user starts Microsoft Word.

    Both techniques offer a covert way to penetrate deep into the target system, maintain persistence, and execute additional payloads or commands as part of a multi-stage attack.

    The level of sophistication and variability of Kimsuky's tactics blurs the line between the gang's own operations and other North Korean groups that are pursuing larger-scale malicious campaigns. Therefore, SentinelOne researchers recommend that cybersecurity organizations and professionals be extra vigilant against North Korean groups and Kimsuky in particular.

    Author DeepWeb
    New Fleckpe Trojan Eats Android Users' Bank Cards
    Telegram is a heaven for hackers and a hell for the USA

    Comments 0

    Add comment