Mar 24, 2024NewsroomArtificial Intelligence / Cyber Espionage

The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data.

Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe.

According to Rapid7, attack chains have leveraged weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files, with the group also employing CHM files to deploy malware on compromised hosts.

The cybersecurity firm has attributed the activity to Kimsuky with moderate confidence, citing similar tradecraft observed in the past.

“While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened,” the company said.

The CHM file is propagated within an ISO, VHD, ZIP, or RAR file, opening which executes a Visual Basic Script (VBScript) to set up persistence and reach out to a remote server to fetch a next-stage payload responsible for gathering and exfiltrating sensitive data.

Rapid7 described the attacks as ongoing and evolving, targeting organizations based in South Korea. It also identified an alternate infection sequence that employs a CHM file as a starting point to drop batch files tasked with harvesting the information and a PowerShell script to connect to the C2 server and transfer the data.

“The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims,” it said.

The development comes as Broadcom-owned Symantec revealed that the Kimsuky actors are distributing malware impersonating an application from a legitimate Korean public entity.

“Once compromised, the dropper installs an Endoor backdoor malware,” Symantec said. “This threat enables attackers to collect sensitive information from the victim or install additional malware.”

It’s worth noting that the Golang-based Endoor, alongside Troll Stealer (aka TrollAgent), has been recently deployed in connection with cyber attacks that target users downloading security programs from a Korean construction-related association’s website.

The findings also arrive amid a probe initiated by the United Nations into 58 suspected cyber attacks carried out by North Korean nation-state actors between 2017 and 2023 that netted $3 billion in illegal revenues to help it further develop its nuclear weapons program.

“The high volume of cyber attacks by hacking groups subordinate to the Reconnaissance General Bureau reportedly continued,” the report said. “Trends include targeting defense companies and supply chains and, increasingly, sharing infrastructure and tools.”

The Reconnaissance General Bureau (RGB) is North Korea’s primary foreign intelligence service, comprising the threat clusters widely tracked as the Lazarus Group – and its subordinate elements, Andariel and BlueNoroff – and Kimsuky.

“Kimsuky has shown interest in using generative artificial intelligence, including large language models, potentially for coding or writing phishing emails,” the report further added. “Kimsuky has been observed using ChatGPT.”

Dec 29, 2023NewsroomMalware / Cyber Threat

Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.

South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.

“A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together,” the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday.

Kimsuky, active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea’s strategic objectives.

The threat actor’s espionage campaigns are realized through spear-phishing attacks containing malicious lure documents that, upon opening, culminate in the deployment of various malware families.

One such prominent Windows-based backdoor used by Kimsuky is AppleSeed (aka JamBog), a DLL malware which has been put to use as early as May 2019 and has been updated with an Android version as well as a new variant written in Golang called AlphaSeed.

AppleSeed is designed to receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. AlphaSeed, like AppleSeed, incorporates similar features but has some crucial differences as well.

“AlphaSeed was developed in Golang and uses chromedp for communications with the [command-and-control] server,” ASEC said, in contrast to AppleSeed, which relies on HTTP or SMTP protocols. Chromedp is a popular Golang library for interacting with the Google Chrome browser in headless mode through the DevTools Protocol.

There is evidence to suggest the Kimsuky has used AlphaSeed in attacks since October 2022, with some intrusions delivering both AppleSeed and AlphaSeed on the same target system by means of a JavaScript dropper.

Also deployed by the adversary are Meterpreter and VNC malware such as TightVNC and TinyNuke (aka Nuclear Bot), which can be leveraged to take control of the affected system.

The development comes as Nisos said it discovered a number of online personas on LinkedIn and GitHub likely used by North Korea’s information technology (IT) workers to fraudulently obtain remote employment from companies in the U.S. and act as a revenue-generating stream for the regime and help fund its economic and security priorities.

“The personas often claimed to be proficient in developing several different types of applications and have experience working with crypto and blockchain transactions,” the threat intelligence firm said in a report released earlier this month.

“Further, all of the personas sought remote-only positions in the technology sector and were singularly focused on obtaining new employment. Many of the accounts are only active for a short period of time before they are disabled.”

North Korean actors, in recent years, have launched a series of multi-pronged assaults, blending novel tactics and supply chain weaknesses to target blockchain and cryptocurrency firms to facilitate the theft of intellectual property and virtual assets.

The prolific and aggressive nature of the attacks points to the different ways the country has resorted in order to evade international sanctions and illegally profit from the schemes.

“People tend to think, … how could the quote-unquote ‘Hermit Kingdom’ possibly be a serious player from a cyber perspective?,” CrowdStrike’s Adam Meyers was quoted as saying to Politico. “But the reality couldn’t be further from the truth.”