SentinelLabs recently observed an ongoing campaign carried out by Kimsuky, a North Korean APT group. The targets of this campaign include North Korea-focused information services, human rights activists, and organizations supporting DPRK defectors. The main objective of the campaign is to conduct file recnnaissance and exfiltrate information using a variant of the RandomQuery malware, which enables precise subsequent attacks.
To spread the malware, Kimsuky makes use of specially crafted phishing emails to deploy RandomQuery a utilizes Microsoft Complied HTML Help (CHM) files. The phishing emails are sent to targets from an account registered at the South Korean email provider Daum, a standard Kimsuky phishing practice to request the recipient to review an attached document to lure the victims to click on the malicious shortcut object.
Attack Surface:
Email
Tactics:
Collection, Credential Access, Defense Evasion, Discovery, Persistence, Privilege Escalation
Technique:
T1547 – Boot or Logon Autostart Execution,
T1036 – Masquerading,
T1082 – System Information Discovery,
T1115 – Clipboard Data,
T1056 – Input Capture
Indicator of Compromise:
https://otx.alienvault.com/pulse/646cda68d4a18bba1b9f8d81
Threat Countermeasures Procedure:
- Add the IOC signature into endpoint security protection as the custom threat detection rules.
- Ensure that all endpoints are protected by an antivirus and antimalware software that is kept up-to-date wit the latest signatures.
- Perform regular backups.
- Raise the awareness of phishing attempts
Contributed by: ZheAn
Recent Post
No posts found!