Evolution of Espionage: Kimsuky's Strategic Shift in Cyber Tactics
Charles M. Walls | March 24, 2024 | Views: 238
The cyber threat landscape is witnessing a strategic evolution as Kimsuky, a notorious cyber espionage group linked to North Korea, shifts its gears towards new methods of attack. Known by several monikers such as Black Banshee, Emerald Sleet, and Springtail, this actor has honed its focus on deploying Compiled HTML Help (CHM) files as a trojan horse to smuggle in malware aimed at siphoning off sensitive information.
Having carved its niche in the cyber espionage realm since 2012, Kimsuky casts a wide net, ensnaring targets not just in its traditional hunting ground of South Korea, but also across North America, Asia, and Europe. The modus operandi of this group has been meticulously analyzed by cybersecurity experts at Rapid7, who spotlight the group's penchant for employing weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files. Recently, CHM files have joined the arsenal, serving as a conduit for malware deployment on victim machines.
Rapid7, with a moderate level of confidence, attributes this nefarious activity to Kimsuky, drawing parallels with the group's historical tactics. CHM files, originally devised for help documentation, are being twisted into instruments of cyber malfeasance. These files can execute JavaScript upon being opened, a feature malevolently exploited to launch malware attacks.
The execution chain unfolds with the CHM file being nestled within ISO, VHD, ZIP, or RAR files. Once this package is opened, a Visual Basic Script (VBScript) springs to action, establishing persistence on the host and initiating contact with a remote server. This server then dispatches a next-stage payload responsible for the collection and exfiltration of critical data.
Rapid7 sheds light on the dynamic and evolving nature of these attacks, pinpointing organizations in South Korea as the primary focus. The group has also been observed employing CHM files as the initial step in an alternate infection sequence that leads to the deployment of batch files dedicated to data harvesting, coupled with a PowerShell script to facilitate communication with the command and control (C2) server and data transfer.
This revelation coincides with findings from Symantec, a Broadcom subsidiary, which uncovers a deceptive tactic by Kimsuky actors. They are found distributing malware disguised as an application from a legitimate Korean public entity, subsequently installing Endoor backdoor malware. This threat landscape is enriched with the addition of the Golang-based Endoor and Troll Stealer malware, targeting individuals downloading security programs from a Korean construction-related association's website.
Amidst this backdrop, a United Nations probe into 58 suspected cyber attacks conducted by North Korean state actors between 2017 and 2023 has come to light. These attacks, amassing $3 billion in illegal revenue, are believed to support North Korea's nuclear ambitions. The Reconnaissance General Bureau (RGB), North Korea's premier foreign intelligence entity, which encompasses the Lazarus Group along with Kimsuky, remains at the forefront of these cyber espionage endeavors.
Kimsuky's exploration of generative artificial intelligence, including large language models for phishing emails or coding, marks a significant pivot in cyber attack methodologies, signaling a new era of digital espionage and cyber threats that the global cybersecurity community must navigate.