Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit
Contents
By Aleksandar Milenkoski and Tom Hegel
Executive Summary
- SentinelLabs has observed an ongoing campaign by Kimsuky, a North Korean APT group, targeting North Korea-focused information services, human rights activists, and DPRK-defector support organizations.
- The campaign focuses on file reconnaissance and information exfiltration using a variant of the RandomQuery malware, enabling subsequent precision attacks.
- Kimsuky distributes RandomQuery using Microsoft Compiled HTML Help (CHM) files, their long-running tactic for delivering diverse sets of malware.
- Kimsuky strategically employs new TLDs and domain names for malicious infrastructure, mimicking standard .com TLDs to deceive unsuspecting targets and network defenders.
Overview
SentinelLabs has been tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks. Based on the infrastructure used, malware delivery methods, and malware implementation, we assess with …
Executive Summary
- SentinelLabs has observed an ongoing campaign by Kimsuky, a North Korean APT group, targeting North Korea-focused information services, human rights activists, and DPRK-defector support organizations.
- The campaign focuses on file reconnaissance and information exfiltration using a variant of the RandomQuery malware, enabling subsequent precision attacks.
- Kimsuky distributes RandomQuery using Microsoft Compiled HTML Help (CHM) files, their long-running tactic for delivering diverse sets of malware.
- Kimsuky strategically employs new TLDs and domain names for malicious infrastructure, mimicking standard .com TLDs to deceive unsuspecting targets and network defenders.
Overview
SentinelLabs has been tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks. Based on the infrastructure used, malware delivery methods, and malware implementation, we assess with …
IoC
0288140be88bc3156b692db2516e38f1f2e3f494
49c70c292a634e822300c57305698b56c6275b1c
84398dcd52348eec37738b27af9682a3a1a08492
8f2e6719ce0f29c2c6dbabe5a7bda5906a99481c
912f875899dd989fbfd64b515060f271546ef94c
96d29a2d554b36d6fb7373ae52765850c17b68df
[email protected]
http://cf-health.click
http://com-def.asia
http://com-hwp.space
http://com-in.asia
http://com-otp.click
http://com-people.click
http://com-port.space
http://com-pow.click
http://com-price.space
http://com-view.online
http://com-www.click
http://db-online.space
http://de-file.online
http://file.com-port.space/indeed/show.php?query=50
http://file.com-port.space/indeed/show.php?query=97
http://ko-asia.click
http://kr-angry.click
http://kr-me.click
49c70c292a634e822300c57305698b56c6275b1c
84398dcd52348eec37738b27af9682a3a1a08492
8f2e6719ce0f29c2c6dbabe5a7bda5906a99481c
912f875899dd989fbfd64b515060f271546ef94c
96d29a2d554b36d6fb7373ae52765850c17b68df
[email protected]
http://cf-health.click
http://com-def.asia
http://com-hwp.space
http://com-in.asia
http://com-otp.click
http://com-people.click
http://com-port.space
http://com-pow.click
http://com-price.space
http://com-view.online
http://com-www.click
http://db-online.space
http://de-file.online
http://file.com-port.space/indeed/show.php?query=50
http://file.com-port.space/indeed/show.php?query=97
http://ko-asia.click
http://kr-angry.click
http://kr-me.click