North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky, has been found to be using a new malware tool named ReconShark in its most recent campaign. The tool is a reconnaissance instrument that is disseminated through spear-phishing emails, OneDrive links to document weaponized downloads, and the execution of malicious macros.
The group, also known as ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, was first observed by Kaspersky researcher in 2013. Kimsuky has been observed to mainly target think tanks and organizations in South Korea, with other victims being in the United States, Europe, and Russia.
In the most recent campaign, the group targeted nuclear agendas between China and North Korea, which is relevant to the ongoing war between Russia and Ukraine.
ReconShark is believed to be an evolution of Kimsuky’s BabyShark malware, and its use allows the group to extract valuable information from infected systems, including detection mechanisms and hardware information. This information is then used to launch subsequent targeted attacks using custom-malware that is specifically designed to evade defenses deployed by the victim.
The tool can also install additional payloads from the command-and-control (C2). The campaign’s attack infrastructure is hosted on a shared hosting server from NameCheap, and SentinelOne has notified the service provider of the malicious activity and recommended takedowns.
The spear-phishing emails containing links to weaponized messages hosted on OneDrive act as a dropper for the ReconShark recon tool. The experts believe that the spear-phishing emails have a high design quality, tailored to specific individuals, making it more likely that the targets will open them. The targeted emails also abuse the names of real individuals whose expertise is relevant to the lure subject, such as Political Scientists.
The experts from SentinelOne believe that the ongoing attacks from Kimsuky, and their use of the new reconnaissance tool, highlight the changing nature of the North Korean threat landscape. The security firm has recommended that organizations and individuals familiarize themselves with the Tactics, Techniques, and Procedures (TTPs) used by North Korea state-sponsored APTs and take the necessary precautions to protect themselves against such attacks.
The link between recent activity and a wider set of previously unknown activity attributed to North Korea underlines the need for continued vigilance and collaboration.
