The North Korea-associated threat actor Kimsuky, also known as Black Banshee, Emerald Sleet, or Springtail, has been observed altering its strategies by utilizing Compiled HTML Help (CHM) files to distribute malware for the purpose of harvesting sensitive data. Active since at least 2012, Kimsuky has been known to target entities in South Korea, North America, Asia, and Europe. Rapid7 has reported that the attack chains deployed weaponized Microsoft Office documents, ISO files, Windows shortcut (LNK) files, and CHM files to deploy malware on compromised hosts, attributing the activity to Kimsuky with moderate confidence.
This shift in tactics raises concerns, especially as the CHM files can execute JavaScript when opened, presenting an avenue for malicious activities. Rapid7 has described the attacks as ongoing and evolving, with Kimsuky actively using and refining its techniques and tactics to gather intelligence from victims.
Moreover, Symantec has identified the distribution of malware by Kimsuky actors, including an Endoor backdoor malware that enables the collection of sensitive information from victims or installing additional malware. These developments coincide with a probe initiated by the United Nations into 58 suspected cyber attacks by North Korean nation-state actors between 2017 and 2023, leading to $3 billion in illegal revenues for furthering the country’s nuclear weapons program. The cyber threat landscape continues to evolve with Kimsuky’s interest in using generative artificial intelligence, including large language models, and its utilization of ChatGPT.
