BTC $63442.8276
ETH $3469.7477
BNB $414.4838
SOL $128.8578
XRP $0.6333
ADA $0.7553
DOGE $0.1556
AVAX $42.2817
DOT $9.6926
wstETH $4022.3454
TRX $0.1396
LINK $20.2249
WETH $3455.5461
MATIC $1.0912
UNI $12.3248
WBTC $63402.0644
BCH $454.1971
LTC $89.7149
IMX $3.2697
ICP $13.1197
FIL $10.0810
CAKE $3.2889
ETC $33.3804
LEO $4.7626
ATOM $12.4298
RNDR $7.5236
TON $2.6714
KAS $0.1683
HBAR $0.1120
INJ $39.9268
DAI $0.9998
OKB $57.5556
VET $0.0485
STX $3.0863
FDUSD $0.9998
WEMIX $2.8006
XLM $0.1364
NEAR $4.5218
PEPE $0.0000
XMR $146.1340
LDO $3.3155
GRT $0.3143
ARB $1.9894
THETA $2.3291
TIA $15.9776
ENS $21.4774
CRO $0.1387
BTC $63442.8276
ETH $3469.7477
BNB $414.4838
SOL $128.8578
XRP $0.6333
ADA $0.7553
DOGE $0.1556
AVAX $42.2817
DOT $9.6926
wstETH $4022.3454
TRX $0.1396
LINK $20.2249
WETH $3455.5461
MATIC $1.0912
UNI $12.3248
WBTC $63402.0644
BCH $454.1971
LTC $89.7149
IMX $3.2697
ICP $13.1197
FIL $10.0810
CAKE $3.2889
ETC $33.3804
LEO $4.7626
ATOM $12.4298
RNDR $7.5236
TON $2.6714
KAS $0.1683
HBAR $0.1120
INJ $39.9268
DAI $0.9998
OKB $57.5556
VET $0.0485
STX $3.0863
FDUSD $0.9998
WEMIX $2.8006
XLM $0.1364
NEAR $4.5218
PEPE $0.0000
XMR $146.1340
LDO $3.3155
GRT $0.3143
ARB $1.9894
THETA $2.3291
TIA $15.9776
ENS $21.4774
CRO $0.1387
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • a new ReconShark malware can settle in an infected system for a long time

    A North Korean 'scout shark' disguises itself as office documents and attacks on the sly.

    North Korean group Kimsuky was recently discovered to be using a new version of its spyware called "ReconShark" in a new cyber-espionage campaign with global reach.

    According to Sentinel Labs, the attackers have expanded their scope and now attack government organizations, research centers, universities and think tanks in the US, Europe and Asia.

    Kimsuky is a cyber-intruder group from North Korea that has been engaged in cyber-espionage in the interests of their state since 2012. She specializes in collecting information on foreign policy and national security related to the Korean Peninsula, nuclear policy and sanctions. The group targets experts in various fields, think tanks and government organizations in South Korea, the US, Russia, Europe and the UN.

    In March 2023, authorities in South Korea and Germany warned that Kimsuky was distributing malicious extensions for the Chrome browser that targeted Gmail accounts. The methods of criminals are not limited to this and also include Android spyware that acts as a remote access trojan (RAT).

    Back in August 2022, Kaspersky Lab revealed another Kimsuky campaign targeting politicians, diplomats, university professors and journalists in South Korea. At that time, digital villains used a multi-stage target verification scheme to infect only those users who were of interest to them.

    Kimsuky uses well-designed and personalized phishing emails to infect their targets with the ReconShark malware. This technique has also been seen in all of the group's previous malicious operations.

    Phishing emails typically contain a link to a malicious document with a password hosted on Microsoft OneDrive. Placing the file on a third-party cloud storage minimizes the risk of being detected by email security systems. When the target opens the downloaded document and enables macros as instructed, the built-in ReconShark malware is activated.

    ReconShark is the next evolution of "BabyShark" malware, which has also been seen in past campaigns by APT43, another North Korean group targeting organizations in the US.

    ReconShark uses WMI to collect information about the infected system and also checks if security programs are installed on the machine. The malware pays special attention to products of Kaspersky Lab, Malwarebytes, Trend Micro and Norton Security. The transmission of the collected information to the C2 server occurs directly via HTTP POST requests without saving the data locally.

    “ReconShark’s ability to convey valuable information, such as detection mechanisms used and hardware characteristics, indicates that ReconShark is part of Kimsuky’s intelligence operation, which allows subsequent targeted attacks, possibly using malware specially adapted to bypass security and exploit platform vulnerabilities. ," SentinelOne warned.

    Another feature of ReconShark is the download of additional payloads from the attacker's C2 server, which can increase the presence of Kimsuky on the infected system.

    “In addition to transmitting information, ReconShark deploys additional payloads in a multi-stage manner. All of them are usually implemented as scripts (VBS, HTA and Windows Batch), Microsoft Office templates with macros or DLL files. ReconShark itself decides which payloads to deploy depending on which detection engine processes are running on infected machines, ”the Sentinel Labs report says.

    The payload deployment step also includes editing Windows shortcut files associated with popular programs such as Chrome, Outlook, Firefox, or Edge. This method allows cybercriminals to run malware on the victim's computer every time the user launches one of these programs.

    An alternative method of establishing persistence in the system, discovered by experts, is to replace the standard Microsoft Office template "Normal.dotm" with a malicious version hosted on the attackers' C2 server. This allows the malicious code to be activated each time the user starts Microsoft Word.

    Both techniques offer a covert way to penetrate deep into the target system, maintain persistence, and execute additional payloads or commands as part of a multi-stage attack.

    The level of sophistication and variability of Kimsuky's tactics blurs the line between the gang's own operations and other North Korean groups that are pursuing larger-scale malicious campaigns. Therefore, SentinelOne researchers recommend that cybersecurity organizations and professionals be extra vigilant against North Korean groups and Kimsuky in particular.

    Author DeepWeb
    New Fleckpe Trojan Eats Android Users' Bank Cards
    Telegram is a heaven for hackers and a hell for the USA

    Comments 0

    Add comment