Cyber Security Threat Summary:
North Korean hackers belonging to the Kimsuky group are employing custom-built malware to carry out information exfiltration campaigns against organizations supporting human rights activists and North Korean defectors. The cybersecurity firm SentinelOne discovered a new variant of the RandomQuery malware, which is commonly used by the Pyongyang threat actor. Kimsuky specializes in targeting think tanks and journalists. The distribution of the malware is facilitated through compiled HTML files, a tactic frequently utilized by North Korean hackers. The objective of this particular campaign is file enumeration and information exfiltration, “The variation of RandomQuery in this campaign has the "single objective of file enumeration and information exfiltration," in contrast to recently observed North Korean use of the malware to support a wider array of functions such as keylogging and the execution of additional malware.”

The initial attack vector is phishing emails written in Korean sent from accounts registered at the South Korean email provider Daum. The lure document uncovered by the researchers is a CHM file stored in a password-protected archive titled "Difficulties in activities of North Korean human rights organizations and measures to vitalize them." This campaign is also tied to infrastructure that uses lesser-used top-level domains such as .space, .asia, .click and .online.

Security Officer Comments:
The use of custom-built malware by North Korean hackers demonstrates their continued efforts to enhance their cyber capabilities and target specific organizations. By focusing on entities supporting human rights activists and defectors, they aim to undermine their activities and suppress dissenting voices. The reliance on compiled HTML files as a delivery method is a well-known tactic employed by North Korean threat actors, indicating their consistent approach.

Suggested Correction(s):
To mitigate the risk of falling victim to these attacks, organizations should implement robust cybersecurity measures. These measures include training employees to identify phishing emails, especially those in Korean originating from suspicious accounts. Additionally, implementing email filters and firewalls can help detect and block malicious emails and attachments. Regular software updates and patches should be applied to protect against known vulnerabilities. Monitoring network traffic for suspicious activities and employing advanced threat detection solutions can aid in identifying and mitigating attacks.

Link(s):
https://www.bankinfosecurity.com/north-korean-apt-group-kimsuky-shifting-attack-tactics-a-22159