North Korea’s Kimsuky Group Equipped to Exploit Windows


Cybersecurity experts have uncovered a sophisticated cyber espionage campaign orchestrated by the North Korean threat actor group Kimsuky, Black Banshee, or Thallium.

This group, notorious for its intelligence-gathering missions, has been active since at least 2012.

It has primarily targeted South Korean government entities, individuals involved in the Korean peninsula’s unification process, and global experts in fields of interest to the North Korean regime.

Their latest tactics involve exploiting Windows help files, indicating an alarming evolution in their methods to bypass modern security measures.

Evolving Tactics of Cyber Espionage

Rapid7 Labs’ continuous monitoring of threat groups has led to the discovery of Kimsuky’s updated playbook, which showcases their relentless efforts to refine their tactics, techniques, and procedures (TTPs).

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

This cat-and-mouse game between cybercriminals and defenders is a testament to the dynamic nature of cyber threats.

The group’s recent shift from weaponized Office documents and ISO files to the abuse of shortcut files (LNK files) has further evolved to the exploitation of Compiled HTML Help (CHM) files.

Initially designed for structured help documentation, these files can execute JavaScript when opened, making them a potential vehicle for malware distribution.

Anatomy of the Attack

The attack begins with identifying a target, followed by a reconnaissance phase to gain undetected access.

Kimsuky’s latest findings involve CHM files delivered through various containers, such as ISO, VHD, ZIP, or RAR files, which can bypass initial defenses and execute the CHM file.

Rapid7 Labs first identified a suspicious CHM file containing several HTML documents with Korean filenames, which, when translated, revealed topics related to North Korea’s nuclear strategy.

The first scenario in our analysis can be visualized

The CHM file, created on a Korean language Windows operating system, contained a ‘home.html’ file with a code snippet capable of executing arbitrary commands on a Windows machine using HTML and ActiveX.

CHM file contains the above files and structure
CHM file contains the above files and structure

Base64 Encoded VBScript Execution

The attack involves a multi-step process that includes echoing a Base64-encoded VBScript into a .dat file, decoding it back into a .vbs file using the certutil utility, and modifying the Windows Registry to ensure persistence.

The decoded Base64 value
The decoded Base64 value

The VBScript collects system information, running processes, recent Word files, and contents of specific folders, which are then encoded and exfiltrated to a remote server.

New Campaign Discovered

This C2 server is still active and while we have seen activity since September 2023, we also observed activity in 2024.
This C2 server is still active and while we have seen activity since September 2023, we also observed activity in 2024.

Further investigation led to more CHM files and VBS scripts with similar information-gathering code but with different Command and Control (C2) servers.

This indicates that Kimsuky is actively refining its techniques to gather intelligence from victims.

Another Approach Discovered

Hash Value
MD5 71db2ae9c36403cec1fd38864d64f239
SHA1 5c7b2705155023e6e438399d895d30bf924e0547
SHA256 e8000ddfddbe120b5f2fb3677abbad901615d1abd01a0de204fade5d2dd5ad0d
————- ——————-

Using Yara rules based on the characteristics of previously discovered CHM files, Rapid7 Labs identified additional CHM files containing .bat files and VBS scripts with hidden code.

These files, once executed, create persistence scheduled tasks, gather system information, and send it to a C2 server after encoding and zipping the data.

In this particular case, multiple .bat files and VBS scripts are present
In this particular case, multiple .bat files and VBS scripts are present

Attack Prevalence

Rapid7 Labs has confirmed targeted attacks against entities based in South Korea and attributes this campaign with moderate confidence to the Kimsuky group.

The overall flow of this attack can be simplified in this visualization
The overall flow of this attack can be simplified in this visualization

The term “moderate confidence” indicates significant evidence of similarity to past observed activities of the group, with the caveat that there is always a possibility of mimicry.

The Kimsuky group’s ability to adapt and exploit Windows help files is a stark reminder of the evolving landscape of cyber threats.

Organizations must remain vigilant and proactive in cybersecurity to protect against such sophisticated attacks. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link