The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation.
“Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.
The ongoing targeted campaign, per the cybersecurity firm, is primarily geared towards information services as well as organizations supporting human rights activists and North Korean defectors.
Kimsuky, active since 2012, has exhibited targeting patterns that align with North Korea’s operational mandates and priorities.
The intelligence collection missions have involved the use of a diverse set of malware, including another reconnaissance program called ReconShark, as detailed by SentinelOne earlier this month.
The latest activity cluster associated with the group commenced on May 5, 2023, and leverages a variant of RandomQuery that’s specifically designed to enumerate files and siphon sensitive data.
RandomQuery, alongside FlowerPower and AppleSeed, are among the most frequently distributed tools in Kimsuky’s arsenal, with the former functioning as an information stealer and a conduit for distributing remote access trojans like TutRAT and xRAT.
The attacks begin with phishing emails that purport to be from Daily NK, a prominent Seoul-based online publication that covers North Korean affairs, to entice potential targets into opening a Microsoft Compiled HTML Help (CHM) file.
It’s worth noting at this stage that CHM files have also been adopted as a lure by a different North Korean nation-state actor referred to as ScarCruft.
Launching the CHM file leads to the execution of a Visual Basic Script that issues a HTTP GET request to a remote server to retrieve the second-stage payload, a VBScript flavor of RandomQuery.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!
The malware then proceeds to harvest system metadata, running processes, installed applications, and files from different folders, all of which are transmitted back to the command-and-control (C2) server.
“This campaign also demonstrates the group’s consistent approach of delivering malware through CHM files,” the researchers said.
“These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats.”
The findings arrive days after the AhnLab Security Emergency response Center (ASEC) uncovered a watering hole attack mounted by Kimsuky that entails setting up a lookalike webmail system used by national policy research institutes to harvest credentials entered by victims.
In a related development, Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers to drop the Metasploit Meterpreter post-exploitation framework, which is then used to deploy a Go-based proxy malware.
