Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign
Contents
By Tom Hegel and Aleksandar Milenkoski
Executive Summary
- SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe.
- Ongoing campaigns use a new malware component we call ReconShark, which is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros.
- ReconShark functions as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a wider set of activity we confidently attribute to North Korea.
Background
Kimsuky is a North Korean advanced persistent threat (APT) group with a long history of targeted attacks across the world. Current understanding of the group indicates they are primarily assigned to intelligence collection and espionage operations in support of the North Korean government since at least 2012. In 2018 the group was observed deploying …
Executive Summary
- SentinelLabs has observed ongoing attacks from Kimsuky, a North Korean state-sponsored APT that has a long history of targeting organizations across Asia, North America, and Europe.
- Ongoing campaigns use a new malware component we call ReconShark, which is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros.
- ReconShark functions as a reconnaissance tool with unique execution instructions and server communication methods. Recent activity has been linked to a wider set of activity we confidently attribute to North Korea.
Background
Kimsuky is a North Korean advanced persistent threat (APT) group with a long history of targeted attacks across the world. Current understanding of the group indicates they are primarily assigned to intelligence collection and espionage operations in support of the North Korean government since at least 2012. In 2018 the group was observed deploying …
IoC
86a025e282495584eabece67e4e2a43dca28e505
c8f54cb73c240a1904030eb36bb2baa7db6aeb01
http://1drv.ms/u/s!AvPucizxIXoqedcUKN647svN3QM?e=K6N1gT
http://aaaaawwqwdqkidoemsk.lives.com-change.info
http://accounts.live.com-change.info
http://accounts.lives.com-change.info
http://cashsentinel.com-change.info
http://cashsentinel.hotmail.com-change.info
http://cashsentinel.hotrnail.com-change.info
http://cashsentinel.live.com-change.info
http://cashsentinel.lives.com-change.info
http://cashsentinel.microsoft.com-change.info
http://cashsentinel.naver.com-change.info
http://cashsentinel.navers.com-change.info
http://cashsentinel.navor.com-change.info
http://cashsentinel.outlock.com-change.info
http://cashsentinel.outlook.com-change.info
http://cloud.navor.com-change.info
http://com-change.info
http://downmail.navor.com-change.info
http://gmail.com-change.info
http://grnail.com-change.info
http://hotmail.com-change.info
http://hotrnail.com-change.info
http://live.com-change.info
http://lives.com-change.info
http://loges.lives.com-change.info
http://loginsaa.gmail.com-change.info
http://loginsaa.grnail.com-change.info
http://logmes.lives.com-change.info
http://logrns.lives.com-change.info
http://logws.lives.com-change.info
http://mainchksrh.com
http://microsoft.com-change.info
http://microsoft.loginsaa.gmail.com-change.info
http://microsoft.loginsaa.grnail.com-change.info
http://mitmail.tech
http://naver.com-change.info
http://naver.loginsaa.gmail.com-change.info
http://navers.com-change.info
http://navor.com-change.info
http://newshare.online
http://nlds.navor.com-change.info
http://outlock.com-change.info
http://outlook.com-change.info
http://paypal.com-change.info
http://publiccloud.navor.com-change.info
http://rfa.ink
http://rfa.ink/bio/ca.php?na=dot_avg.gif
http://skjflkjsjflejlkjieiieieiei.lives.com-change.info
http://yonsei.lol
https://mitmail.tech/gorgon/ca.php?na=dot_avg.gif
https://mitmail.tech/gorgon/ca.php?na=dot_esen.gif
https://mitmail.tech/gorgon/ca.php?na=dot_eset.gif
https://mitmail.tech/gorgon/ca.php?na=dot_kasp.gif
https://mitmail.tech/gorgon/ca.php?na=dot_v3.gif
https://mitmail.tech/gorgon/ca.php?na=reg.gif
https://mitmail.tech/gorgon/ca.php?na=secur32.gif
https://mitmail.tech/gorgon/ca.php?na=start0.gif
https://mitmail.tech/gorgon/ca.php?na=start1.gif
https://mitmail.tech/gorgon/ca.php?na=start2.gif
https://mitmail.tech/gorgon/ca.php?na=start3.gif
https://mitmail.tech/gorgon/ca.php?na=start4.gif
https://mitmail.tech/gorgon/ca.php?na=vbs.gif
https://mitmail.tech/gorgon/ca.php?na=vbs_esen.gif
https://mitmail.tech/gorgon/ca.php?na=video.gif
https://mitmail.tech/gorgon/ca.php?na=videop.gif
https://mitmail.tech/gorgon/r.php
https://mitmail.tech/gorgon/t1.hta
https://newshare.online/lee/ca.php?na=secur32.gif
https://rfa.ink
https://rfa.ink/bio/ca.php?na=dot_esen.gif
https://rfa.ink/bio/ca.php?na=dot_eset.gif
https://rfa.ink/bio/ca.php?na=dot_kasp.gif
https://rfa.ink/bio/ca.php?na=dot_v3.gif
https://rfa.ink/bio/ca.php?na=reg.gif
https://rfa.ink/bio/ca.php?na=secur32.gif
https://rfa.ink/bio/ca.php?na=start0.gif
https://rfa.ink/bio/ca.php?na=start1.gif
https://rfa.ink/bio/ca.php?na=start2.gif
https://rfa.ink/bio/ca.php?na=start3.gif
https://rfa.ink/bio/ca.php?na=start4.gif
https://rfa.ink/bio/ca.php?na=vbs.gif
https://rfa.ink/bio/ca.php?na=vbs_esen.gif
https://rfa.ink/bio/ca.php?na=video.gif
https://rfa.ink/bio/ca.php?na=videop.gif
https://rfa.ink/bio/d.php?na=battmp
https://rfa.ink/bio/d.php?na=vbtmp
https://rfa.ink/bio/r.php
https://rfa.ink/bio/t1.hta
c8f54cb73c240a1904030eb36bb2baa7db6aeb01
http://1drv.ms/u/s!AvPucizxIXoqedcUKN647svN3QM?e=K6N1gT
http://aaaaawwqwdqkidoemsk.lives.com-change.info
http://accounts.live.com-change.info
http://accounts.lives.com-change.info
http://cashsentinel.com-change.info
http://cashsentinel.hotmail.com-change.info
http://cashsentinel.hotrnail.com-change.info
http://cashsentinel.live.com-change.info
http://cashsentinel.lives.com-change.info
http://cashsentinel.microsoft.com-change.info
http://cashsentinel.naver.com-change.info
http://cashsentinel.navers.com-change.info
http://cashsentinel.navor.com-change.info
http://cashsentinel.outlock.com-change.info
http://cashsentinel.outlook.com-change.info
http://cloud.navor.com-change.info
http://com-change.info
http://downmail.navor.com-change.info
http://gmail.com-change.info
http://grnail.com-change.info
http://hotmail.com-change.info
http://hotrnail.com-change.info
http://live.com-change.info
http://lives.com-change.info
http://loges.lives.com-change.info
http://loginsaa.gmail.com-change.info
http://loginsaa.grnail.com-change.info
http://logmes.lives.com-change.info
http://logrns.lives.com-change.info
http://logws.lives.com-change.info
http://mainchksrh.com
http://microsoft.com-change.info
http://microsoft.loginsaa.gmail.com-change.info
http://microsoft.loginsaa.grnail.com-change.info
http://mitmail.tech
http://naver.com-change.info
http://naver.loginsaa.gmail.com-change.info
http://navers.com-change.info
http://navor.com-change.info
http://newshare.online
http://nlds.navor.com-change.info
http://outlock.com-change.info
http://outlook.com-change.info
http://paypal.com-change.info
http://publiccloud.navor.com-change.info
http://rfa.ink
http://rfa.ink/bio/ca.php?na=dot_avg.gif
http://skjflkjsjflejlkjieiieieiei.lives.com-change.info
http://yonsei.lol
https://mitmail.tech/gorgon/ca.php?na=dot_avg.gif
https://mitmail.tech/gorgon/ca.php?na=dot_esen.gif
https://mitmail.tech/gorgon/ca.php?na=dot_eset.gif
https://mitmail.tech/gorgon/ca.php?na=dot_kasp.gif
https://mitmail.tech/gorgon/ca.php?na=dot_v3.gif
https://mitmail.tech/gorgon/ca.php?na=reg.gif
https://mitmail.tech/gorgon/ca.php?na=secur32.gif
https://mitmail.tech/gorgon/ca.php?na=start0.gif
https://mitmail.tech/gorgon/ca.php?na=start1.gif
https://mitmail.tech/gorgon/ca.php?na=start2.gif
https://mitmail.tech/gorgon/ca.php?na=start3.gif
https://mitmail.tech/gorgon/ca.php?na=start4.gif
https://mitmail.tech/gorgon/ca.php?na=vbs.gif
https://mitmail.tech/gorgon/ca.php?na=vbs_esen.gif
https://mitmail.tech/gorgon/ca.php?na=video.gif
https://mitmail.tech/gorgon/ca.php?na=videop.gif
https://mitmail.tech/gorgon/r.php
https://mitmail.tech/gorgon/t1.hta
https://newshare.online/lee/ca.php?na=secur32.gif
https://rfa.ink
https://rfa.ink/bio/ca.php?na=dot_esen.gif
https://rfa.ink/bio/ca.php?na=dot_eset.gif
https://rfa.ink/bio/ca.php?na=dot_kasp.gif
https://rfa.ink/bio/ca.php?na=dot_v3.gif
https://rfa.ink/bio/ca.php?na=reg.gif
https://rfa.ink/bio/ca.php?na=secur32.gif
https://rfa.ink/bio/ca.php?na=start0.gif
https://rfa.ink/bio/ca.php?na=start1.gif
https://rfa.ink/bio/ca.php?na=start2.gif
https://rfa.ink/bio/ca.php?na=start3.gif
https://rfa.ink/bio/ca.php?na=start4.gif
https://rfa.ink/bio/ca.php?na=vbs.gif
https://rfa.ink/bio/ca.php?na=vbs_esen.gif
https://rfa.ink/bio/ca.php?na=video.gif
https://rfa.ink/bio/ca.php?na=videop.gif
https://rfa.ink/bio/d.php?na=battmp
https://rfa.ink/bio/d.php?na=vbtmp
https://rfa.ink/bio/r.php
https://rfa.ink/bio/t1.hta