Kimsuky, a state-sponsored threat group from North Korea, has been found using a new reconnaissance tool called ReconShark in its ongoing global campaign. This new tool is part of the group's evolving tactics to gain a foothold on compromised hosts, establish persistence, and stealthily gather intelligence for extended periods of time.
SentinelOne researchers Tom Hegel and Aleksandar Milenkoski report that “ReconShark” is actively delivered to targeted individuals via spear-phishing emails, OneDrive links that lead to document downloads, and the execution of malicious macros. The malware is designed to exfiltrate system information to a command-and-control (C2) server, maintain persistence on the system, and wait for further instruction from the operator.
Kimsuky, also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is a state-sponsored threat group from North Korea. Since at least 2012, a threat group has been known for targeted attacks on non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe. The latest intrusion set documented by SentinelOne leverages geopolitical themes related to North Korea's nuclear proliferation to activate the infection sequence.
The spear-phishing emails are designed with a level of quality that is tailored to specific individuals, increasing the likelihood of opening by the target. The messages contain links to booby-trapped Microsoft Word documents hosted on OneDrive to deploy ReconShark, which functions primarily as a reconnaissance tool to execute instructions sent from an actor-controlled server. It is also an evolution of the threat actor's BabyShark malware toolset. BabyShark is a newly discovered malware, with the earliest sample observed in November 2018. The malicious documents used to distribute BabyShark were written in English and focused on regional security issues in Northeast Asia.
ReconShark exfiltrates details about running processes, deployed detection mechanisms, and hardware information, suggesting that data gathered from the tool is used to carry out "precision attacks" involving malware tailored to the targeted environment in a manner that sidesteps detection. The malware is also capable of deploying additional payloads from the server based on what detection mechanism processes run on infected machines. Furthermore, ReconShark does not save the harvested information on the file system, instead opting to store the data in string variables and uploading it to the C2 server by issuing HTTP POST requests.
The ongoing attacks from Kimsuky and their use of the new reconnaissance tool, ReconShark, highlight the evolving nature of the North Korean threat landscape. As such, it is crucial for organizations to remain vigilant and take appropriate security measures to prevent these types of attacks.
Organizations should educate their employees on the risks of spear-phishing emails, and implement security measures such as anti-phishing filters and endpoint protection solutions to detect and prevent attacks. Additionally, regular security training and testing should be conducted to ensure that employees are aware of the latest threats and how to respond appropriately. Finally, organizations should keep their security solutions up to date and perform regular security assessments to identify and address any vulnerabilities in their systems.
Are you concerned about your organization's cyber security? Armoryze offers a FREE cyber security assessment to help you identify any potential vulnerabilities and implement the right security solutions. Schedule your FREE cyber security assessment today.