North Korean APT Group Kimsuky Shifting Attack TacticsKimsuky Focuses on Exfiltration in Latest Campaign
North Korean hackers are using custom-built malware for information exfiltration campaigns against organizations that support human rights activists and North Korean defectors.
Cybersecurity firm SentinelOne wrote in a Tuesday blog post that the North Korean advanced persistent threat group Kimsuky is distributing a new variant of the RandomQuery malware that's been a staple of the Pyongyang threat actor. Kimsuky specializes in targeting think tanks and journalists.
The findings came the same day the U.S. government sanctioned four entities and one individual involved in funneling payments from malicious activities to support the North Korean government's illicit activities (see: US Sanctions North Korean Entities for Sending Regime Funds).
Kimsuky is distributing the malware using compiled HTML files - compressed HTML documents primarily used in software documentation. Delivering malware through Microsoft Compiled HTML Help, or CHM, files is a tactic commonly employed by the North Korean threat actor.
The variation of RandomQuery in this campaign has the "single objective of file enumeration and information exfiltration," in contrast to recently observed North Korean use of the malware to support a wider array of functions such as keylogging and the execution of additional malware.
The initial attack vector is phishing emails written in Korean sent from accounts registered at the South Korean email provider Daum. The lure document uncovered by the researchers is a CHM file stored in a password-protected archive titled "Difficulties in activities of North Korean human rights organizations and measures to vitalize them."
This campaign is also tied to infrastructure that uses lesser-used top-level domains such as