According to a report by Rapid7, the North Korean group Kimsuky has launched a new campaign using dummy files related to a nuclear threat to spread malicious software.
The campaign aims to gather intelligence on foreign policy, national security, nuclear capabilities, and sanctions against the Korean Peninsula. The target of the attacks are government agencies and analytical centers in South Korea, with plans to expand operations to the USA and Europe.
Experts have observed that Kimsuky has updated their tools, now using HTML files related to nuclear weapons as lures. Examples of these files include titles like “The model of the escalation of the nuclear crisis in North Korea and the factors that determine the use of nuclear weapons.html” and “factors and types of use of Northern Korea of nuclear weapons.html.”
These baits, some of which are in Compiled HTML HELP (CHM) format, are delivered to victims in ISO, ZIP, RAR, or VHD archives to bypass initial security defenses.
The CHM format, developed by Microsoft, includes a collection of HTML pages, a table of contents, and the ability for text search, making it ideal for documentation. However, hackers have found ways to use CHM for malicious purposes.
When a victim opens the file, VBScript is executed on the computer, running .BAT and VBS files to carry out commands and making registry entries to ensure persistence. The gathered information, such as computer details, OS specifics, hardware characteristics, running processes, download history, recent Word files, and directory lists, is sent to the attackers’ server.
Researchers have identified an active use and enhancement of Kimsuky techniques for intelligence gathering, highlighting the ever-evolving landscape of cyberespionage and the ongoing battle between hackers and defenders. The updated arsenal of Kimsuky underscores the importance of consistently bolstering cybersecurity defenses to combat such threats.