Monday, July 15, 2024

North Korea’s Kimsuky Group Equipped to Exploit Windows Help files

Cybersecurity experts have uncovered a sophisticated cyber espionage campaign orchestrated by the North Korean threat actor group Kimsuky, Black Banshee, or Thallium.

This group, notorious for its intelligence-gathering missions, has been active since at least 2012.

It has primarily targeted South Korean government entities, individuals involved in the Korean peninsula’s unification process, and global experts in fields of interest to the North Korean regime.

Their latest tactics involve exploiting Windows help files, indicating an alarming evolution in their methods to bypass modern security measures.

Evolving Tactics of Cyber Espionage

Rapid7 Labs’ continuous monitoring of threat groups has led to the discovery of Kimsuky’s updated playbook, which showcases their relentless efforts to refine their tactics, techniques, and procedures (TTPs).


Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

This cat-and-mouse game between cybercriminals and defenders is a testament to the dynamic nature of cyber threats.

The group’s recent shift from weaponized Office documents and ISO files to the abuse of shortcut files (LNK files) has further evolved to the exploitation of Compiled HTML Help (CHM) files.

Initially designed for structured help documentation, these files can execute JavaScript when opened, making them a potential vehicle for malware distribution.

Anatomy of the Attack

The attack begins with identifying a target, followed by a reconnaissance phase to gain undetected access.

Kimsuky’s latest findings involve CHM files delivered through various containers, such as ISO, VHD, ZIP, or RAR files, which can bypass initial defenses and execute the CHM file.

Rapid7 Labs first identified a suspicious CHM file containing several HTML documents with Korean filenames, which, when translated, revealed topics related to North Korea’s nuclear strategy.

The first scenario in our analysis can be visualized
The first scenario in our analysis can be visualized

The CHM file, created on a Korean language Windows operating system, contained a ‘home.html’ file with a code snippet capable of executing arbitrary commands on a Windows machine using HTML and ActiveX.

CHM file contains the above files and structure
CHM file contains the above files and structure

Base64 Encoded VBScript Execution

The attack involves a multi-step process that includes echoing a Base64-encoded VBScript into a .dat file, decoding it back into a .vbs file using the certutil utility, and modifying the Windows Registry to ensure persistence.

The decoded Base64 value
The decoded Base64 value

The VBScript collects system information, running processes, recent Word files, and contents of specific folders, which are then encoded and exfiltrated to a remote server.

New Campaign Discovered

This C2 server is still active and while we have seen activity since September 2023, we also observed activity in 2024.
This C2 server is still active and while we have seen activity since September 2023, we also observed activity in 2024.

Further investigation led to more CHM files and VBS scripts with similar information-gathering code but with different Command and Control (C2) servers.

This indicates that Kimsuky is actively refining its techniques to gather intelligence from victims.

Another Approach Discovered


Using Yara rules based on the characteristics of previously discovered CHM files, Rapid7 Labs identified additional CHM files containing .bat files and VBS scripts with hidden code.

These files, once executed, create persistence scheduled tasks, gather system information, and send it to a C2 server after encoding and zipping the data.

In this particular case, multiple .bat files and VBS scripts are present
In this particular case, multiple .bat files and VBS scripts are present

Attack Prevalence

Rapid7 Labs has confirmed targeted attacks against entities based in South Korea and attributes this campaign with moderate confidence to the Kimsuky group.

The overall flow of this attack can be simplified in this visualization
The overall flow of this attack can be simplified in this visualization

The term “moderate confidence” indicates significant evidence of similarity to past observed activities of the group, with the caveat that there is always a possibility of mimicry.

The Kimsuky group’s ability to adapt and exploit Windows help files is a stark reminder of the evolving landscape of cyber threats.

Organizations must remain vigilant and proactive in cybersecurity to protect against such sophisticated attacks. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles