North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware

SentinelLabs recently observed an ongoing campaign carried out by Kimsuky, a North Korean APT group. The targets of this campaign include North Korea-focused information services, human rights activists, and organizations supporting DPRK defectors. The main objective of the campaign is to conduct file recnnaissance and exfiltrate information using a variant of the RandomQuery malware, which enables precise subsequent attacks.

To spread the malware, Kimsuky makes use of specially crafted phishing emails to deploy RandomQuery a utilizes Microsoft Complied HTML Help (CHM) files. The phishing emails are sent to targets from an account registered at the South Korean email provider Daum, a standard Kimsuky phishing practice to request the recipient to review an attached document to lure the victims to click on the malicious shortcut object.

Attack Surface:
Collection, Credential Access, Defense Evasion, Discovery, Persistence, Privilege Escalation
T1547 – Boot or Logon Autostart Execution,
T1036 – Masquerading,
T1082 – System Information Discovery,
T1115 – Clipboard Data,
T1056 – Input Capture
Indicator of Compromise:

Threat Countermeasures Procedure:

  1. Add the IOC signature into endpoint security protection as the custom threat detection rules.
  2. Ensure that all endpoints are protected by an antivirus and antimalware software that is kept up-to-date wit the latest signatures.
  3. Perform regular backups.
  4. Raise the awareness of phishing attempts


   Contributed by: ZheAn


Pulse Subscription Form


Recent Post

No posts found!

Comments are closed.