Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
We Keep you Connected
Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
By Tom Hegel and Aleksandar Milenkoski Kimsuky is a North Korean advanced persistent threat (APT) group with a long history of targeted attacks across the world. Current understanding of the group indicates they are primarily assigned to intelligence collection and espionage operations in support of the North Korean government since at least 2012. In 2018 the group was observed deploying a malware family dubbed BabyShark, and our latest observations indicate the group has evolved the malware with an expanded reconnaissance capability – we refer to this BabyShark component as ReconShark. Historically, Kimsuky targets have been located across countries in North America, Asia, and Europe. In the groups latest campaigns, they continue their global targeting themed around various ongoing geopolitical topics. For example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine. In a recent campaign Kimsuky targeted the staff of Korea Risk Group (KRG), the information and analysis firm specializing in matters directly and indirectly impacting the Democratic People’s Republic of Korea (DPRK). We applaud KRG’s willingness to publicly share our analysis of attacks against them so the wider cybersecurity community can use this intelligence for expanded understanding of the Kimsuky threat actor and their own hunting and detection efforts. Our assessment is that the same campaign has been used to continue targeting other organizations and individuals in at least the United States, Europe, and Asia, including think tanks, research universities, and government entities. For the deployment of ReconShark, Kimsuky continues to make use of specially crafted phishing emails. Notably, the spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target. This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users. Notably, the targeted emails, which contain links to download malicious documents, and the malicious documents themselves, abuse the names of real individuals whose expertise is relevant to the lure subject such as Political Scientists. In the malicious emails, Kimsuky entices the target to open a link to download a password-protected document. Most recently, they made use of Microsoft OneDrive to host the malicious document for download. For example, as used against KRG, the lure email contained the OneDrive shared file link: The file downloaded is a password protected .doc file named “Research Proposal-Haowen Song.doc” (SHA1: 86a025e282495584eabece67e4e2a43dca28e505) which contains a malicious macro (SHA1: c8f54cb73c240a1904030eb36bb2baa7db6aeb01) The lure documents Kimsuky distributes contain Microsoft Office macros that activate on document close. Based on overlaps in file naming conventions, used malware staging techniques, and code format, we assess that the macros implement a newer variant of a reconnaissance capability of the Kimsuky’s BabyShark malware seen targeting entities in the Korean peninsula towards the end of 2022. We refer to this BabyShark component as ReconShark. The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses. The main responsibility of ReconShark is to exfiltrate information about the infected platform, such as running processes, information about the battery connected to the system, and deployed endpoint threat detection mechanisms. Similar to previous BabyShark variants, ReconShark relies on Windows Management Instrumentation (WMI) to query process and battery information. ReconShark checks for the presence of a broad set of processes associated with detection mechanisms, such as ntrtscan.exe (Trend Micro OfficeScan), mbam.exe (Malwarebytes Anti-Malware), NortonSecurity.exe (Norton Security), and avpui.exe (Kaspersky Internet Security). In contrast to previous BabyShark variants, ReconShark exfiltrates information without first storing it on the filesystem – the malware stores the information it collects in string variables and then uploads them to the C2 server by issuing HTTP POST requests. In addition to exfiltrating information, ReconShark deploys further payloads in a multi-stage manner that are implemented as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files. ReconShark decides what payloads to deploy depending on what detection mechanism processes run on infected machines. Some ReconShark strings are encrypted using a relatively simple cipher to evade static detection mechanisms. These strings are typically commands or scripts for downloading and/or executing payloads. ReconShark deploys and executes payloads in different ways. For example, the malware can directly download a payload from the C2 server using the curl utility, but also use Windows Shortcut (LNK files) or Office templates for that purpose. ReconShark edits Windows Shortcuts (LNK files) to the msedge.exe (Microsoft Edge), chrome.exe (Google Chrome), outlook.exe (Office Outlook), whale.exe (Whale browser), and firefox.exe (Mozilla Firefox) applications. When executed, these LNK files start the linked legitimate applications and execute malicious code at the same time. Further, ReconShark replaces the default %AppData%MicrosoftTemplatesNormal.dotm Office template, which opens whenever a user starts Microsoft Word, with a malicious Office template hosted at the C2 server. This effectively compromises the execution of Microsoft Word.
ReconShark edits LNK files (top) and deploys a malicious Normal.dotm Office template (bottom)
The payload staging ends with Windows Batch or VBS scripts that create the %AppData%1 file with a content of ss or sss. These files may represent markers of a successful ReconShark execution. All observed infrastructure in this campaign are hosted on a shared hosting server from NameCheap, whom we’ve already notified of this malicious activity and recommended takedowns. Kimsuky operators continually made use of LiteSpeed Web Server (LSWS) for managing the malicious functionality. Phishing emails have been observed sending from the yonsei[.]lol domain, while rfa[.]ink and mitmail[.]tech are used for command and control. The domain yonsei[.]lol has been active since December 2022, with malicious activity occurring as recently as this week. rfa[.]ink has been actively used since early February 2023, and mitmail[.]tech since mid January 2023. Kimsuky also made use of newshare[.]online as a C2 server for a short time at the end of 2022. As shown in the ReconShark macro example, beacons are made to the /bio/ directory of rfa[.]ink. During our analysis of the activity, the attacker made multiple attempts at renaming that directory, including /bio433ertgd12/ then later /bio234567890rtyui/, and a day later returning back to /bio/. This may have been an attempt to hinder research efforts, or pause the intake of new victims for unknown reasons. The IOC table below highlights each of the URL paths Kimsuky manages across each C2 domain and their specific purpose according to the execution flow in the macro. These patterns match across domains, while the directory they are placed in often varies. Attempted navigation to some paths on C2 domains are configured to redirect visitors to the legitimate Microsoft website. As with most malicious infrastructure linked to North Korean actors, we can quickly find links back to previous reporting or separate campaigns. For example, links can be found to the domains mainchksrh[.]com and com-change[.]info, with indications com-change was used in 2020-2022 credential phishing campaigns at these subdomains: The ongoing attacks from Kimsuky and their use of the new reconnaissance tool, ReconShark, highlight the evolving nature of the North Korean threat landscape. Organizations and individuals need to be aware of the TTPs used by North Korea state-sponsored APTs and take necessary precautions to protect themselves against such attacks. The link between recent activity and a wider set of previously unknown activity attributed to North Korea underscores the need for continued vigilance and collaboration. Get notified when we post new content. Thanks! Keep an eye out for new content! In the era of interconnectivity, when markets, geographies, and jurisdictions merge in the melting pot of the digital domain, the perils of the threat ecosystem become unparalleled. Crimeware families achieve an unparalleled level of technical sophistication, APT groups are competing in fully-fledged cyber warfare, while once decentralized and scattered threat actors are forming adamant alliances of operating as elite corporate espionage teams. Get notified when we post new content. Thanks! Keep an eye out for new content!
Enhanced Expertise: Co-Managed services bring in specialized expertise to complement your IT team, helping them tackle complex issues and projects more effectively.
Resource Augmentation: It's not about replacing your IT department but augmenting their resources. This allows your IT team to focus on strategic initiatives while routine tasks are handled externally.
Scalability: Co-Managed services are scalable, so you can adjust the level of support as per your needs, ensuring efficient resource allocation.
Cybersecurity Boost: Co-Managed services often provide advanced cybersecurity solutions, which help protect your organization from cyber threats and vulnerabilities.
Cost-Efficiency: By outsourcing routine tasks and maintenance, your IT department can allocate resources more efficiently, potentially reducing overall IT costs.
Improved Compliance: Co-Managed services can assist with compliance management, ensuring your organization adheres to industry regulations and standards.
Risk Mitigation: Shared responsibility for IT operations means shared risk. Co-Managed services providers work alongside your IT team to minimize potential risks.
Strategic Partnerships: Partnering with experienced Co-Managed service providers can enhance your organization's reputation by showcasing a commitment to innovation and efficiency.
Faster Issue Resolution: Co-Managed services often have access to advanced tools and resources, enabling quicker problem-solving and issue resolution.
Customized Solutions: Tailored solutions mean that your IT department has more control over the services provided and can align them with your organization's specific needs.
Flexibility: Your IT team retains control and can collaborate closely with Co-Managed service providers, ensuring a seamless partnership.
Catering to All IT Issues So You Can Stay Connected Securely
The Network Company has been based in South Orange County, CA, for over 27 years and provides “Managed IT Services.” We support your company’s network, computers, software, and users; and make sure your system is always running smoothly. Our topmost priority is to ensure that your users and customers get the most from your IT investment.
GET YOUR FREE, NO-OBLIGATION NETWORK HEALTH CHECK! We know you’re so busy running your business that sometimes you may forget to think about the security and health of your computer network. In fact, many business owners do NOT perform regular IT and Security maintenance, leaving the door wide open for spyware, viruses and other malicious threats that can infect their networks. This can lead to the loss of irreplaceable business data and hours of downtime. This is where we can help with Professional IT services, no matter what industry your business is in.
We don’t want this to happen to you! We’re offering you a FREE, no-strings-attached Network Health Check, which includes an inventory of your current environment, along with recommended improvements to keep your network healthy.
What’s the catch? You must be wondering why we are willing to give this away for free. We are simply offering this Network Health Check as a risk-free way to “get to know us” while helping you identify areas of vulnerability.
How does it work? To get your free Network Health Check, simply click here to complete the online request form. After we receive your request, we will contact you to schedule a specialist to perform the assessment.
Following the assessment, you will receive a complimentary recommended action plan and estimate for correcting any existing issues.
