Monday, November 4, 2024
HomeCyber AttackNorth Korea’s Kimsuky Group Equipped to Exploit Windows Help files

North Korea’s Kimsuky Group Equipped to Exploit Windows Help files

Published on

Malware protection

Cybersecurity experts have uncovered a sophisticated cyber espionage campaign orchestrated by the North Korean threat actor group Kimsuky, Black Banshee, or Thallium.

This group, notorious for its intelligence-gathering missions, has been active since at least 2012.

It has primarily targeted South Korean government entities, individuals involved in the Korean peninsula’s unification process, and global experts in fields of interest to the North Korean regime.

- Advertisement - SIEM as a Service

Their latest tactics involve exploiting Windows help files, indicating an alarming evolution in their methods to bypass modern security measures.

Evolving Tactics of Cyber Espionage

Rapid7 Labs’ continuous monitoring of threat groups has led to the discovery of Kimsuky’s updated playbook, which showcases their relentless efforts to refine their tactics, techniques, and procedures (TTPs).

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

This cat-and-mouse game between cybercriminals and defenders is a testament to the dynamic nature of cyber threats.

The group’s recent shift from weaponized Office documents and ISO files to the abuse of shortcut files (LNK files) has further evolved to the exploitation of Compiled HTML Help (CHM) files.

Initially designed for structured help documentation, these files can execute JavaScript when opened, making them a potential vehicle for malware distribution.

Anatomy of the Attack

The attack begins with identifying a target, followed by a reconnaissance phase to gain undetected access.

Kimsuky’s latest findings involve CHM files delivered through various containers, such as ISO, VHD, ZIP, or RAR files, which can bypass initial defenses and execute the CHM file.

Rapid7 Labs first identified a suspicious CHM file containing several HTML documents with Korean filenames, which, when translated, revealed topics related to North Korea’s nuclear strategy.

The first scenario in our analysis can be visualized
The first scenario in our analysis can be visualized

The CHM file, created on a Korean language Windows operating system, contained a ‘home.html’ file with a code snippet capable of executing arbitrary commands on a Windows machine using HTML and ActiveX.

CHM file contains the above files and structure
CHM file contains the above files and structure

Base64 Encoded VBScript Execution

The attack involves a multi-step process that includes echoing a Base64-encoded VBScript into a .dat file, decoding it back into a .vbs file using the certutil utility, and modifying the Windows Registry to ensure persistence.

The decoded Base64 value
The decoded Base64 value

The VBScript collects system information, running processes, recent Word files, and contents of specific folders, which are then encoded and exfiltrated to a remote server.

New Campaign Discovered

This C2 server is still active and while we have seen activity since September 2023, we also observed activity in 2024.
This C2 server is still active and while we have seen activity since September 2023, we also observed activity in 2024.

Further investigation led to more CHM files and VBS scripts with similar information-gathering code but with different Command and Control (C2) servers.

This indicates that Kimsuky is actively refining its techniques to gather intelligence from victims.

Another Approach Discovered

HashValue
MD571db2ae9c36403cec1fd38864d64f239
SHA15c7b2705155023e6e438399d895d30bf924e0547
SHA256e8000ddfddbe120b5f2fb3677abbad901615d1abd01a0de204fade5d2dd5ad0d
————-——————-

Using Yara rules based on the characteristics of previously discovered CHM files, Rapid7 Labs identified additional CHM files containing .bat files and VBS scripts with hidden code.

These files, once executed, create persistence scheduled tasks, gather system information, and send it to a C2 server after encoding and zipping the data.

In this particular case, multiple .bat files and VBS scripts are present
In this particular case, multiple .bat files and VBS scripts are present

Attack Prevalence

Rapid7 Labs has confirmed targeted attacks against entities based in South Korea and attributes this campaign with moderate confidence to the Kimsuky group.

The overall flow of this attack can be simplified in this visualization
The overall flow of this attack can be simplified in this visualization

The term “moderate confidence” indicates significant evidence of similarity to past observed activities of the group, with the caveat that there is always a possibility of mimicry.

The Kimsuky group’s ability to adapt and exploit Windows help files is a stark reminder of the evolving landscape of cyber threats.

Organizations must remain vigilant and proactive in cybersecurity to protect against such sophisticated attacks. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Threat Actors Allegedly Claiming Leak of Dell Partner Portal Data

A well-known dark web forum threat actor allegedly claimed responsibility for leaking data from...

Securing Your SaaS Application Security

The rapid growth of cloud computing has made SaaS applications indispensable across industries. While...

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actors Allegedly Claiming Leak of Dell Partner Portal Data

A well-known dark web forum threat actor allegedly claimed responsibility for leaking data from...

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...