The advanced persistent threat (APT) group from North Korea, known as Kimsuky, has been observed employing a custom malware called RandomQuery as part of their survey and data exfiltration activities.
According to a report by SentinelOne researchers Aleksandar Milenkoski and Tom Hegel, “Kimsuky has been consistently distributing tailored malware in recent times for reconnaissance campaigns, laying the groundwork for subsequent attacks.”
Who’s on hit?
Kimsuky’s ongoing targeted campaign primarily focuses on
- information services and organizations that support human rights activists and North Korean defectors.
- Kimsuky, active since 2012, has a history of targeting organizations and individuals of strategic interest to North Korea.
In their intelligence collection missions, Kimsuky has recently employed another reconnaissance tool called ReconShark, as previously disclosed by SentinelOne earlier this month.
The most recent cluster of activities associated with the group began on May 5, 2023, utilizing a variant of RandomQuery designed explicitly for file enumeration and sensitive data exfiltration.
Methodology of attack
RandomQuery, FlowerPower, and AppleSeed are among the frequently used tools in Kimsuky’s arsenal. RandomQuery stealer is a conduit for distributing remote access trojans like TutRAT and xRAT.
The attacks typically start with
- phishing emails posing as Daily NK, a reputable online publication in Seoul that covers North Korean affairs. These emails entice potential victims to open a Microsoft Compiled HTML Help (CHM) file.
It’s important to note that CHM files have also been utilized as bait by another North Korean nation-state actor known as ScarCruft.
- When the CHM file is launched, a Visual Basic Script is executed, which sends an HTTP GET request to a remote server to retrieve the second-stage payload, a VBScript variant of RandomQuery.
- The malware then proceeds to gather system metadata, running processes, installed applications, and files from various folders, all transmitted back to the command-and-control (C2) server.
“This campaign also highlights the group’s consistent use of CHM files to deliver malware,” stated the researchers.
These incidents underscore the evolving landscape of North Korean threat groups, whose activities extend beyond political espionage to sabotage and financial threats.
These findings come shortly after the AhnLab Security Emergency Response Center (ASEC) discovered a watering hole attack by Kimsuky. The attack involves setting up a deceptive webmail system similar to that national policy research institutes use to harvest credentials entered by unsuspecting victims.
Source: AhnLab
In a related development, Kimsuky has also been linked to attacks that exploit vulnerabilities in Windows Internet Information Services (IIS) servers to deploy the Metasploit Meterpreter post-exploitation framework, which is then used to deploy a proxy malware written in Go.
Wrap it up! Beware of APT attacks
Protecting yourself from Advanced Persistent Threat (APT) attacks is tricky yet undetectable. These attacks require some master minds to integrate sophisticated techniques with high-tech resources. Prevention could only be possible with multiple proactive methods.
- Be updated on the latest security news, trends, and APT attack techniques.
- Make your employees understand the significance of APT attacks and their role in safeguarding sensitive information.
- Encourage the use of strong, unique passwords for all accounts.
- Keep your software and systems up to date.
- Invest in network segmentation.
- Install Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Encrypt sensitive data, both in transit and at rest.
- Conduct regular security audits and penetration testing.
- Invest in Incident Response Plan
- Try security collaborations
PureVPN
May 24, 2023
12 months ago
