SentinelLabs recently observed an ongoing campaign carried out by Kimsuky, a North Korean APT group. The targets of this campaign include North Korea-focused information services, human rights activists, and organizations supporting DPRK defectors. The main objective of the campaign is to conduct file recnnaissance and exfiltrate information using a variant of the RandomQuery malware, which enables precise subsequent attacks.

To spread the malware, Kimsuky makes use of specially crafted phishing emails to deploy RandomQuery a utilizes Microsoft Complied HTML Help (CHM) files. The phishing emails are sent to targets from an account registered at the South Korean email provider Daum, a standard Kimsuky phishing practice to request the recipient to review an attached document to lure the victims to click on the malicious shortcut object.

Attack Surface:
Email
Tactics:
Collection, Credential Access, Defense Evasion, Discovery, Persistence, Privilege Escalation
Technique:
T1547 – Boot or Logon Autostart Execution,
T1036 – Masquerading,
T1082 – System Information Discovery,
T1115 – Clipboard Data,
T1056 – Input Capture
Indicator of Compromise:
https://otx.alienvault.com/pulse/646cda68d4a18bba1b9f8d81

Threat Countermeasures Procedure:

1. Add the IOC signature into endpoint security protection as the custom threat detection rules.
2. Ensure that all endpoints are protected by an antivirus and antimalware software that is kept up-to-date wit the latest signatures.
3. Perform regular backups.
4. Raise the awareness of phishing attempts

   Contributed by: ZheAn