SentinelLabs reported that a North Korean APT utilized a new malware component, ReconShark to conduct intelligence collection and espionage operations. The malware targets users through spear-phishing emails, OneDrive download links, and the execution of malicious macros. Kimsuky has historically targeted geopolitical actors worldwide, and recent campaigns have focused on nuclear agendas between China and North Korea. Kimsuky’s latest attack targeted the Korea Risk Group (KRG), which specializes in analyzing information related to the Democratic People’s Republic of Korea (DPRK).

The spear-phishing emails Kimsuky used to deploy ReconShark were high quality and customized for each recipient. The emails contained download links for malicious documents which named real experts in fields such as political science. These password-protected malicious documents were frequently hosted on Microsoft OneDrive. When users close the document, ReconShark activates Microsoft Office macros capable of implementing reconnaissance capabilities. ReconShark is an evolution of Kimsuky’s BabyShark malware, which it used to target organizations across the Korean peninsula last year. The new malware is also capable of exfiltrating valuable information which enables subsequent precision attacks capable of dodging unique platform defenses. Kimsuky, also known as APT43 and Thallium, has harvested credentials, directed financial cyber-crime, and conducted espionage on behalf of North Korean geopolitical interests in the past.

Read More:

https://industrialcyber.co/analysis/north-korean-backed-apt-group-kimsuky-evolves-reconnaissance-capabilities-in-recent-global-campaign/