A North Korean 'scout shark' disguises itself as office documents and attacks on the sly.
North Korean group Kimsuky was recently discovered to be using a new version of its spyware called "ReconShark" in a new cyber-espionage campaign with global reach.
According to Sentinel Labs, the attackers have expanded their scope and now attack government organizations, research centers, universities and think tanks in the US, Europe and Asia.
Kimsuky is a cyber-intruder group from North Korea that has been engaged in cyber-espionage in the interests of their state since 2012. She specializes in collecting information on foreign policy and national security related to the Korean Peninsula, nuclear policy and sanctions. The group targets experts in various fields, think tanks and government organizations in South Korea, the US, Russia, Europe and the UN.
In March 2023, authorities in South Korea and Germany warned that Kimsuky was distributing malicious extensions for the Chrome browser that targeted Gmail accounts. The methods of criminals are not limited to this and also include Android spyware that acts as a remote access trojan (RAT).
Back in August 2022, Kaspersky Lab revealed another Kimsuky campaign targeting politicians, diplomats, university professors and journalists in South Korea. At that time, digital villains used a multi-stage target verification scheme to infect only those users who were of interest to them.
Kimsuky uses well-designed and personalized phishing emails to infect their targets with the ReconShark malware. This technique has also been seen in all of the group's previous malicious operations.
Phishing emails typically contain a link to a malicious document with a password hosted on Microsoft OneDrive. Placing the file on a third-party cloud storage minimizes the risk of being detected by email security systems. When the target opens the downloaded document and enables macros as instructed, the built-in ReconShark malware is activated.
ReconShark is the next evolution of "BabyShark" malware, which has also been seen in past campaigns by APT43, another North Korean group targeting organizations in the US.
ReconShark uses WMI to collect information about the infected system and also checks if security programs are installed on the machine. The malware pays special attention to products of Kaspersky Lab, Malwarebytes, Trend Micro and Norton Security. The transmission of the collected information to the C2 server occurs directly via HTTP POST requests without saving the data locally.
“ReconShark’s ability to convey valuable information, such as detection mechanisms used and hardware characteristics, indicates that ReconShark is part of Kimsuky’s intelligence operation, which allows subsequent targeted attacks, possibly using malware specially adapted to bypass security and exploit platform vulnerabilities. ," SentinelOne warned.
Another feature of ReconShark is the download of additional payloads from the attacker's C2 server, which can increase the presence of Kimsuky on the infected system.
“In addition to transmitting information, ReconShark deploys additional payloads in a multi-stage manner. All of them are usually implemented as scripts (VBS, HTA and Windows Batch), Microsoft Office templates with macros or DLL files. ReconShark itself decides which payloads to deploy depending on which detection engine processes are running on infected machines, ”the Sentinel Labs report says.
The payload deployment step also includes editing Windows shortcut files associated with popular programs such as Chrome, Outlook, Firefox, or Edge. This method allows cybercriminals to run malware on the victim's computer every time the user launches one of these programs.
An alternative method of establishing persistence in the system, discovered by experts, is to replace the standard Microsoft Office template "Normal.dotm" with a malicious version hosted on the attackers' C2 server. This allows the malicious code to be activated each time the user starts Microsoft Word.
Both techniques offer a covert way to penetrate deep into the target system, maintain persistence, and execute additional payloads or commands as part of a multi-stage attack.
The level of sophistication and variability of Kimsuky's tactics blurs the line between the gang's own operations and other North Korean groups that are pursuing larger-scale malicious campaigns. Therefore, SentinelOne researchers recommend that cybersecurity organizations and professionals be extra vigilant against North Korean groups and Kimsuky in particular.