Rewterz Threat Alert – North Korean APT Kimsuky Aka Black Banshee Using A New Malware Component ReconShark In A Recent Cyberespionage Campaign – Active IOCs

Severity

High

Analysis Summary

The Kimsuky hacking group, aka Thallium and Velvet Chollima, is a state-sponsored cyberespionage group that has been active since at least 2012, and has been linked to North Korea. The group is known for targeting government organizations, think tanks, and other entities involved in national security policy.

According to reports, the Kimsuky group has recently been using a new version of its reconnaissance malware, called ReconShark (an evolution of the threat actor’s BabyShark malware toolset), in a global cyberespionage campaign. The malware is designed to gather information on targeted systems and exfiltrate that data back to the attackers. It is believed that the group uses this information to gain access to sensitive networks and steal valuable intellectual property.

ReconShark is distributed through spear-phishing emails that contain a malicious document. When the document is opened, the malware is installed and begins collecting information on the infected system. The malware is able to bypass anti-virus software and other security measures by using a number of different obfuscation techniques.

Malicious document used in a Kimsuky attack 

In March 2023, South Korean and German authorities warned that Kimsuky had launched a new cyber espionage campaign, using malicious Chrome extensions and Android spyware to target Gmail accounts and serve as a remote access trojan. This is not the first time that Kimsuky has been in the news. In August 2022, Kaspersky revealed another Kimsuky campaign that targeted politicians, diplomats, university professors, and journalists in South Korea using a multi-stage target validation scheme. This technique ensured that only valid targets would be infected with malicious payloads, making the attack more difficult to detect.

Kimsuky use well-crafted and personalised spear-phishing emails to infect its targets with the ReconShark malware, similar approach used in all previous attack campaign. To avoid triggering any alerts on email security tools, these emails contain a link to a malicious password-protected document hosted on Microsoft OneDrive. The integrated ReconShark malware is launched when the target opens the downloaded document and activates macros as directed.

ReconShark’s ability to extract sensitive information, such as deployed detection mechanisms and hardware information, suggests that the malware is being used as part of a larger reconnaissance operation orchestrated by the Kimsuky APT group. This type of reconnaissance can enable the group to launch more targeted and effective attacks, possibly using custom-designed malware that can bypass defenses and exploit specific platform weaknesses.

ReconShark is designed to exfiltrate a variety of information about the infected platform, including information about running processes, the battery connected to the system, and details about deployed endpoint threat detection mechanisms. This information can be valuable to attackers, as it can provide insights into the target’s security posture and help the attackers to identify potential vulnerabilities that can be exploited to gain further access to the target’s systems and data.

“In addition to exfiltrating information, ReconShark deploys further payloads in a multi-stage manner that are implemented as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files.” they conclude.

ReconShark can also be used to execute commands on the infected system, download and execute additional payloads, and exfiltrate additional data. As such, it is a powerful tool in the arsenal of APT groups like Kimsuky and highlights the need for robust security measures to protect against these types of threats.

The use of ReconShark also highlights the need for organizations to maintain robust security measures to protect against APT attacks. This includes implementing security controls such as firewalls, intrusion detection and prevention systems, and endpoint protection software. Additionally, organizations should regularly monitor their networks for signs of unauthorized activity and conduct thorough security audits to identify potential vulnerabilities that could be exploited by threat actors. By taking these steps, organizations can help mitigate the risk of APT attacks and protect their sensitive data and assets from compromise.

Impact

• Data Theft and Espionage
• Sensitive Data Exposure

Indicators of Compromise

Domain Name

• yonsei.lol

URL

• https://rfa.ink/bio/r.php
• https://mitmail.tech/gorgon/r.php
• https://mitmail.tech/gorgon/t1.hta
• https://rfa.ink/bio/ca.php?na=reg.gif
• https://mitmail.tech/gorgon/ca.php?na=reg.gif
• https://rfa.ink/bio/ca.php?na=secur32.gif
• https://mitmail.tech/gorgon/ca.php?na=dot_kasp.gif
• https://rfa.ink/bio/ca.php?na=dot_kasp.gif

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Maintain daily backups of all computer networks and servers.
• Never trust or open links and attachments received from unknown sources/senders.
• To mitigate the risk of keylogger attacks, it is also recommended that individuals and organizations use secure and encrypted communication channels, such as VPNs and encrypted email, when transmitting sensitive information.
• Additionally, the use of multi-factor authentication can help to reduce the risk of sensitive information being stolen by attackers.