On Thursday, security researchers from SentinelOne reported that the North Korean state-sponsored APT group, Kimsuky, has been observed utilizing a brand new malware component called ReconShark. The malware is disseminated through spear-phishing emails that are specifically targeted, containing OneDrive links that, when clicked, trigger the download of documents that subsequently activate malicious macros.
Tom Hegel and Aleksandar Milenkoski from SentinelOne revealed that the spear-phishing emails used to distribute ReconShark are tailored to specific individuals, with a high level of design quality that increases the likelihood of the target opening them. These emails appear legitimate, using proper formatting, grammar, and visual clues that can deceive unsuspecting users.
Moreover, the malicious documents and the links in the emails are disguised with the names of real individuals whose knowledge or expertise is relevant to the subject of the lure, for instance, political scientists.
Furthermore, the researcher added that “The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses”.
The state-sponsored APT group Kimsuky, which has been operating since 2012, is also identified by other names such as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. This notorious threat actor group has been involved in targeted attacks on numerous entities, including non-governmental organizations (NGOs), diplomatic agencies, military organizations, think tanks, research entities, and economic groups across Asia, North America, and Europe.
In new developments, Kimsuky differs from its predecessors. It avoids storing collected data on the file system. Instead, the malware stores the information in string variables and transmits it to a command-and-control (C2) server via HTTP POST requests. Additionally, ReconShark can install supplementary payloads, such as DLL files or scripts, by examining the detection mechanisms present on the infected systems.
Furthermore, the security researchers noted that Kimsuky's recent activities are designed to hit global issues.
“For example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine,” reads the report.
The discovery of ReconShark highlights the growing proof that Kimsuky is changing its techniques to secretly access and control computer systems, stay undetected, and collect information for prolonged periods.