ReconShark, aimed at gaining initial access to targeted systems, is a component of previous malware used by the Kimsuky group.
May 8, 2023
North Korean cyber espionage group Kimsuky has expanded its attack arsenal with a new spear-phishing campaign that uses Microsoft OneDrive links in documents armed with malicious macros that drop novel reconnaissance malware.
Researchers at SentinelLabs observed a new campaign from the threat actor targeting staff of Korea Risk Group (KRG), an information and analysis firm specializing in matters directly and indirectly impacting the Democratic People's Republic of Korea (DPRK).
They believe the same campaign is also being used to target individuals at universities — a new victim pool for Kimsuky — as well typical targets such as government organizations, research centers, and think tanks in North America, Europe, and Asia, they revealed in a recent blog post.
The campaign shows the longstanding APT wielding new malware dubbed ReconShark that's a component of — and thus named for — a custom malware variant called BabyShark previously used in campaigns toward the end of last year, SentinelOne's Tom Hegel and Aleksandar Milenkoski wrote in the post.
ReconShark can exfiltrate information, including deployed detection mechanisms and hardware information — to gain access to targeted networks, basing their assessment on overlaps in file-naming conventions, used malware staging techniques, and code format, the researchers said.
The malware appears to be "part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses," the researchers wrote in the post.
While spear-phishing is often part of Kimsuky's modus operandi, the group is paying special attention to craft emails in the latest campaign carefully, so they don't raise suspicion, the researchers said.
"[They] are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target," the researchers wrote. "This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users."
Notably, the targeted emails, which contain links to download malicious documents, and the malicious documents themselves, abuse the names of real individuals whose expertise is relevant to the lure subject, such as political scientists, the researchers said.
The campaign against KRG specifically used Microsoft OneDrive to host the malicious document — which contains macros that execute ReconShark — presented for download in the message.
For example, a lure email used in the campaign included a OneDrive shared file link to a password protected document file named "Research Proposal-Haowen Song.doc" that contained a malicious macro for downloading the malware, they said.
Once downloaded, the main responsibility of ReconShark is to exfiltrate information about the infected platform, such as running processes, information about the battery connected to the system, and deployed endpoint threat detection mechanisms, the researchers said. The malware is similar to previous BabyShark variants in its reliance on Windows Management Instrumentation (WMI) to query process and battery information, they added.
However, ReconShark can do more than just steal data about the targeted system, the researchers said. It also can deploy further payloads in a multi-stage manner that are implemented as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files, they said.
"ReconShark decides what payloads to deploy depending on what detection mechanism processes run on infected machines," the researchers wrote in the post.
Kimsuky, also tracked as Thallium, has been on various researchers' radar screens since 2018, and its previous activity — which SentinelOne said dates back to 2012 — has been widely reported. In earlier attacks, the group mainly focused on conducting cyber espionage against research institutions, geo-political think tanks, and — particularly during the height of the pandemic — pharmaceutical companies.
Though Kimsuky's recent activities have raised its profile among security researchers, the group appears undaunted and continues to expand its operations. In fact, the new campaign shows Kimsuky adding universities to its range of targets, which Dror Liwer, co-founder of cybersecurity company Coro, says is "worrying" due to their general lack of cybersecurity defenses and awareness programs.
"We have seen a triple-digit increase in attacks on educational institutions in the US in the last year, which is driven by a perfect storm from an attacker's perspective: Extremely valuable data, and lacking defenses," he tells Dark Reading in an email.
Overall, organizations can thwart attacks from Kimsuky and other actors' spear-phishing campaigns in general by practicing overall good email security hygiene, such as employing scanning tools to check incoming messages for suspicious activity, so they are flagged before they even reach users.
Educating employees and anyone else using an organization's email system can also help them spot malicious messages that slip through other security defenses and thus avoid compromise, experts said.
Elizabeth Montalbano, Contributing Writer
Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.
You May Also Like
Making Sense of Security Operations Data
Unbiased Testing. Unbeatable Results
Your Everywhere Security Guide: 4 Steps to Stop Cyberattacks
API Security: Protecting Your Application’s Attack Surface
Securing the Software Development Life Cycle from Start to Finish
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
How Enterprises Assess Their Cyber-Risk
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
Use the 2023 MITRE ATT&CK Evaluation Results for Turla to Inform EDR Buying Decisions
Demystifying Zero Trust in OT
Incident Response Planning Guide
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
2023 Snyk AI-Generated Code Security Report
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
Leave a Reply