Launch of the "ReconShark" Malware by the North Korean Kimsuky Hacking Group

Kimsuky hackers use new recon tool to find security gaps (Bleeping Computer) The North Korean hacking outfit known as Kimsuky is one threat actor that is constantly seeking new ways to gain access to networks. The gang is aiming their most recent cyberespionage operation, codenamed "ReconShark," at a global audience of governments, research institutions, academic institutions, and think tanks. Kimsuky has collaborated with APT43, another North Korean cyber espionage organization, to disseminate the sophisticated virus, which is a development of the group's BabyShark spyware. The effort is said to start by deploying malicious Chrome extensions or Android spyware that acts as a Remote Access Trojan to target Gmail users and government employees, according to the report. [caption id="" align="aligncenter" width="1500"] Image credit- Tech Times[/caption] The malware then abuses WMI to gather crucial system data such as battery information and current programs. Even the presence of well-known security programs like Kaspersky, Malwarebytes, Trend Micro, and Norton Security is verified. Once the data has been gathered, it is exfiltrated immediately using HTTP POST requests to a command and control server. Since the malware is never kept locally, this method allows for stealthy infiltration. As further described in an article by Sentinel Labs, ReconShark may additionally retrieve additional payloads from the command and control server in a multi-stage way implemented as scripts, macro-enabled Microsoft Office templates, or Windows DLL files. Additionally, it has the ability to modify Windows shortcut files linked to well-known programs so that the malware is launched automatically when these programs are launched. The infection also makes use of a malicious version of the Normal.dotm template that comes with Microsoft Office. Threat actors like Kimsuky continue to break into and steal data from systems all across the world, despite there being knowledge of potential cyber risks. To stop the destructive activities of Kimsuky and other cybercriminal organizations, security experts strongly advise staying up to date on the most recent cyber threats and making sure that the most recent security software is installed on computers and networks. [caption id="" align="aligncenter" width="1600"] Image credit- Twitter[/caption] Kimsuky can also distribute additional payloads via scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files to increase its attack. NK News explained how hackers target journalists and professionals using the BabyShark version. Either replacing the legitimate Microsoft Office template with a malicious one or altering Windows shortcut files, this completes the second step of the attack and causes popular programs like Chrome, Outlook, Firefox, or Edge to launch malicious code. Also read: Install this major update right away if you have an iPhone, iPad, or MacBook The intricacy and shape-shifting abilities of Kimsuky demonstrate the thorough planning and practice that the North Korean threat actor puts into its campaigns. Governments, companies, and people must exercise increased vigilance to avoid suffering the same fate as the high-profile institutions that the cyber-espionage gang has now targeted. As part of your defensive strategy, this is keeping up with system and software upgrades, creating secure passwords, and putting detecting measures in place.