Kimsuky, a North Korean-affiliated malicious threat group, has displayed another upgrade to its tactics, techniques, procedures, and tools. The group has donned names such as Velvet Chollima, SmokeScreen, and Thallium.
Based on reports, the threat group has generated a new reconnaissance tool dubbed ReconShark. Researchers stated that the new device could target countries globally since it uses multiple geopolitical current affairs as lures.
Some of the confirmed lure the group used for their attacks are the nuclear agendas between North Korea and China and the Ukraine-Russia geopolitical conflict.
The Kimsuky group is not particular with their targets, and no country is exempted from their attacks.
The current cybercriminal operation from the Kimsuky group is targeting numerous organisations worldwide.
Currently, the confirmed targets of the group include an IT firm that analyses the impact of the Democratic People’s Republic of Korea (DPRK) and the Korea Risk Group (KRG) personnel. In addition, some research also identified that the campaign had reached some think tanks, research universities, and think tanks in the United States, Asia, and Europe.
Researchers explained that the Korean threat group had upgraded its BabyShark malware into the ReconShark reconnaissance tool, further expanding its exfiltration ability.
The tool could steal critical information from an infected system, such as running processes, endpoint threat detection mechanisms, and connected batteries. Furthermore, it could abuse the Windows Management Instrumentation to extract system information. ReconShark could also review the presence of endpoint security software from various companies.
Furthermore, the newly upgraded tool could fetch payloads from the command-and-control servers and deploy them through scripts or macro-enabled Office documents. The threat operators could deliver the malware through spear-phishing emails, malicious macros, and OneDrive links that redirect the target to a malicious document.
Kimsuky allowed ReconShark additional capabilities like security software detection and hardware information check. These abilities could allow the tool to target its victims with upgraded attack efficiency and bypass security defences. The current counter to this threat is that users should secure their critical assets and know the latest tactics threat actors use.
