North Korea’s Kimsuky Group Equipped to Exploit Windows

Cybersecurity experts have uncovered a sophisticated cyber espionage campaign orchestrated by the North Korean threat actor group Kimsuky, Black Banshee, or Thallium.

This group, notorious for its intelligence-gathering missions, has been active since at least 2012.

It has primarily targeted South Korean government entities, individuals involved in the Korean peninsula’s unification process, and global experts in fields of interest to the North Korean regime.

Their latest tactics involve exploiting Windows help files, indicating an alarming evolution in their methods to bypass modern security measures.

Evolving Tactics of Cyber Espionage

Rapid7 Labs’ continuous monitoring of threat groups has led to the discovery of Kimsuky’s updated playbook, which showcases their relentless efforts to refine their tactics, techniques, and procedures (TTPs).

This cat-and-mouse game between cybercriminals and defenders is a testament to the dynamic nature of cyber threats.

The group’s recent shift from weaponized Office documents and ISO files to the abuse of shortcut files (LNK files) has further evolved to the exploitation of Compiled HTML Help (CHM) files.

Initially designed for structured help documentation, these files can execute JavaScript when opened, making them a potential vehicle for malware distribution.

Anatomy of the Attack

The attack begins with identifying a target, followed by a reconnaissance phase to gain undetected access.

Kimsuky’s latest findings involve CHM files delivered through various containers, such as ISO, VHD, ZIP, or RAR files, which can bypass initial defenses and execute the CHM file.

Rapid7 Labs first identified a suspicious CHM file containing several HTML documents with Korean filenames, which, when translated, revealed topics related to North Korea’s nuclear strategy.

The CHM file, created on a Korean language Windows operating system, contained a ‘home.html’ file with a code snippet capable of executing arbitrary commands on a Windows machine using HTML and ActiveX.

Base64 Encoded VBScript Execution

The attack involves a multi-step process that includes echoing a Base64-encoded VBScript into a .dat file, decoding it back into a .vbs file using the certutil utility, and modifying the Windows Registry to ensure persistence.

The VBScript collects system information, running processes, recent Word files, and contents of specific folders, which are then encoded and exfiltrated to a remote server.

New Campaign Discovered

Further investigation led to more CHM files and VBS scripts with similar information-gathering code but with different Command and Control (C2) servers.

This indicates that Kimsuky is actively refining its techniques to gather intelligence from victims.

Another Approach Discovered

Using Yara rules based on the characteristics of previously discovered CHM files, Rapid7 Labs identified additional CHM files containing .bat files and VBS scripts with hidden code.

These files, once executed, create persistence scheduled tasks, gather system information, and send it to a C2 server after encoding and zipping the data.

Attack Prevalence

Rapid7 Labs has confirmed targeted attacks against entities based in South Korea and attributes this campaign with moderate confidence to the Kimsuky group.

The term “moderate confidence” indicates significant evidence of similarity to past observed activities of the group, with the caveat that there is always a possibility of mimicry.

The Kimsuky group’s ability to adapt and exploit Windows help files is a stark reminder of the evolving landscape of cyber threats.

Organizations must remain vigilant and proactive in cybersecurity to protect against such sophisticated attacks. 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.