Mar 24, 2024NewsroomArtificial Intelligence / Cyber Espionage

The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data.

Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe.

According to Rapid7, attack chains have leveraged weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files, with the group also employing CHM files to deploy malware on compromised hosts.

The cybersecurity firm has attributed the activity to Kimsuky with moderate confidence, citing similar tradecraft observed in the past.

“While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened,” the company said.

The CHM file is propagated within an ISO, VHD, ZIP, or RAR file, opening which executes a Visual Basic Script (VBScript) to set up persistence and reach out to a remote server to fetch a next-stage payload responsible for gathering and exfiltrating sensitive data.

Rapid7 described the attacks as ongoing and evolving, targeting organizations based in South Korea. It also identified an alternate infection sequence that employs a CHM file as a starting point to drop batch files tasked with harvesting the information and a PowerShell script to connect to the C2 server and transfer the data.

“The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims,” it said.

The development comes as Broadcom-owned Symantec revealed that the Kimsuky actors are distributing malware impersonating an application from a legitimate Korean public entity.

“Once compromised, the dropper installs an Endoor backdoor malware,” Symantec said. “This threat enables attackers to collect sensitive information from the victim or install additional malware.”

It’s worth noting that the Golang-based Endoor, alongside Troll Stealer (aka TrollAgent), has been recently deployed in connection with cyber attacks that target users downloading security programs from a Korean construction-related association’s website.

The findings also arrive amid a probe initiated by the United Nations into 58 suspected cyber attacks carried out by North Korean nation-state actors between 2017 and 2023 that netted $3 billion in illegal revenues to help it further develop its nuclear weapons program.

“The high volume of cyber attacks by hacking groups subordinate to the Reconnaissance General Bureau reportedly continued,” the report said. “Trends include targeting defense companies and supply chains and, increasingly, sharing infrastructure and tools.”

The Reconnaissance General Bureau (RGB) is North Korea’s primary foreign intelligence service, comprising the threat clusters widely tracked as the Lazarus Group – and its subordinate elements, Andariel and BlueNoroff – and Kimsuky.

“Kimsuky has shown interest in using generative artificial intelligence, including large language models, potentially for coding or writing phishing emails,” the report further added. “Kimsuky has been observed using ChatGPT.”

Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023.

The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It’s notable for the supply chain attack targeting SolarWinds and its customers in 2020.

“The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments,” cybersecurity agencies from Poland, the U.K., and the U.S. said.

The vulnerability in question is CVE-2023-42793 (CVSS score: 9.8), a critical security flaw that could be weaponized by unauthenticated attackers to achieve remote code execution on affected systems. It has since come under active exploitation by hacking crews, including those associated with North Korea, for malware delivery.

“The TeamCity exploitation usually resulted in code execution with high privileges granting the SVR an advantageous foothold in the network environment,” the agencies noted.

“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes — access a malicious actor could further use to conduct supply chain operations.”

A successful initial access is typically followed by reconnaissance, privilege escalation, lateral movement, and data exfiltration, while simultaneously taking steps to evade detection using an open-source tool called EDRSandBlast. The end goal of the attacks is to deploy a backdoor codenamed GraphicalProton that functions as a loader to deliver additional payloads.

GraphicalProton, which is also known as VaporRage, leverages OneDrive as a primary command-and-control (C2) communication channel, with Dropbox treated as a fallback mechanism. It has been put to use by the threat actor as part of an ongoing campaign dubbed Diplomatic Orbiter that singles out diplomatic agencies across the world.

“Post-compromise activity includes credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and turning off antivirus and EDR capabilities,” Microsoft said, adding it took steps to disrupt what it described as a “widespread campaign” targeting TeamCity servers by exploiting the flaw.

As many as 100 devices located across the U.S., Europe, Asia, and Australia are said to have been compromised as a result of what’s suspected to be opportunistic attacks.

Targets of the campaign include an energy trade association; firms that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT enterprises.

The disclosure comes as Microsoft revealed Russia’s multi-pronged assault on Ukraine’s agriculture sector between June through September 2023 to penetrate networks, exfiltrate data, and deploy destructive malware such as SharpWipe (aka WalnutWipe).

The intrusions have been tied back to two nation-state groups codenamed Aqua Blizzard (formerly Actinium) and Seashell Blizzard (formerly Iridium), respectively.

Seashell Blizzard has also been observed taking advantage of pirated Microsoft Office software harboring the DarkCrystalRAT (aka DCRat) backdoor to gain initial access, subsequently using it to download a second-stage payload named Shadowlink that masquerades as Microsoft Defender but, in reality, installs a TOR service for surreptitious remote access.

“Midnight Blizzard took a kitchen sink approach, using password spray, credentials acquired from third-parties, believable social engineering campaigns via Teams, and abuse of cloud services to infiltrate cloud environments,” the tech giant said.

Microsoft further highlighted a Russia-affiliated influence actor it calls Storm-1099 (aka Doppelganger) for carrying out sophisticated pro-Russia influence operations targeting international supporters of Ukraine since the spring of 2022.

Other influence efforts comprise spoofing mainstream media and deceptively editing celebrity videos shared on Cameo to propagate anti-Ukraine video content and malign President Volodymyr Zelensky by falsely claiming he suffered from substance abuse issues, underscoring continued efforts to warp global perceptions of the war.

“This campaign marks a novel approach by pro-Russia actors seeking to further the narrative in the online information space,” Microsoft said. “Russian cyber and influence operators have demonstrated adaptability throughout the war on Ukraine.”

Update

Following the publication of the story, Yaroslav Russkih, head of security at JetBrains, shared the below statement with The Hacker News –

“We were informed about this vulnerability earlier this year and immediately fixed it in TeamCity 2023.05.4 update, which was released on September 18, 2023. Since then, we have been contacting our customers directly or via public posts motivating them to update their software. We also released a dedicated security patch for organizations using older versions of TeamCity that they couldn’t upgrade in time. In addition, we have been sharing the best security practices to help our customers strengthen the security of their build pipelines. As of right now, according to the statistics we have, fewer than 2% of TeamCity instances still operate unpatched software, and we hope their owners patch them immediately. This vulnerability only affects the on-premises instances of TeamCity, while our cloud version was not impacted.”