Kimsuky, an advanced persistent threat (APT) group from North Korea, has been observed using a custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation. According to SentinelOne researchers, the attack is primarily aimed at information services and organizations that support human rights activists and North Korean defectors.
Kimsuky has been active since 2012 and has been observed using a variety of malware, including another reconnaissance program called ReconShark. The latest activity cluster associated with the group started on May 5, 2023, and uses a variant of RandomQuery designed to identify files and extract sensitive data.
RandomQuery, FlowerPower, and AppleSeed are some of the most commonly used tools in the APT group’s arsenal. The attacks begin with phishing emails containing a Microsoft Compiled HTML Help (CHM) file, which has also been used as a lure by another North Korean nation-state actor referred to as ScarCruft.
When the CHM file is opened, a Visual Basic Script is executed, which sends a HTTP GET request to a remote server to download the second-stage payload, a VBScript version of RandomQuery. The malware then collects system metadata, running processes, installed applications, and files from different folders, which are then sent back to the command-and-control (C2) server.
Researchers noted that Kimsuky’s consistent approach of delivering malware through CHM files shows the ever-changing landscape of North Korean threat groups, whose operations include not only political espionage but also sabotage and financial threats.
In addition, the APT group has also been linked to attacks that exploit vulnerable Windows Internet Information Services (IIS) servers to deploy the Metasploit Meterpreter post-exploitation framework.
Source: Hackernews
To mitigate these potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.