Close up of North Korean flag.

SentinelLabs Identifies Ongoing Campaign by North Korean APT Group Kimsuky

SentinelLabs recently detected an ongoing operation conducted by Kimsuky, a North Korean Advanced Persistent Threat (APT) group, which aims to infiltrate North Korea-centric information services, human rights activists, and organizations that support defectors from the Democratic People's Republic of Korea (DPRK).

SentinelLabs recently detected an ongoing operation conducted by Kimsuky, a North Korean Advanced Persistent Threat (APT) group, which aims to infiltrate North Korea-centric information services, human rights activists, and organizations that support defectors from the Democratic People’s Republic of Korea (DPRK).

This campaign primarily revolves around gathering intelligence and extracting information by utilizing a modified version of the RandomQuery malware. By employing this variant, Kimsuky can execute precise attacks following the initial reconnaissance phase.

To distribute the RandomQuery malware, Kimsuky continues to rely on Microsoft Compiled HTML Help (CHM) files, a tactic they have employed consistently over an extended period. This approach allows them to deliver a variety of malware to their targets effectively.

To deceive their unsuspecting victims and network defenders, Kimsuky strategically employs new top-level domains (TLDs) and domain names for their malicious infrastructure. By imitating standard .com TLDs, they attempt to create a false sense of legitimacy, increasing the likelihood of their targets falling for their tricks.

Indicators of Compromise
SHA1 Hashes
96d29a2d554b36d6fb7373ae52765850c17b68df

84398dcd52348eec37738b27af9682a3a1a08492

912f875899dd989fbfd64b515060f271546ef94c

49c70c292a634e822300c57305698b56c6275b1c

8f2e6719ce0f29c2c6dbabe5a7bda5906a99481c

0288140be88bc3156b692db2516e38f1f2e3f494

Domains
com-port[.]space

com-pow[.]click

com-def[.]asia

com-www[.]click

com-otp[.]click

com-price[.]space

de-file[.]online

com-people[.]click

kr-angry[.]click

kr-me[.]click

cf-health[.]click

com-hwp[.]space

com-view[.]online

com-in[.]asia

ko-asia[.]click

db-online[.]space

Source: https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

Share this post