SentinelLabs recently detected an ongoing operation conducted by Kimsuky, a North Korean Advanced Persistent Threat (APT) group, which aims to infiltrate North Korea-centric information services, human rights activists, and organizations that support defectors from the Democratic People’s Republic of Korea (DPRK).
This campaign primarily revolves around gathering intelligence and extracting information by utilizing a modified version of the RandomQuery malware. By employing this variant, Kimsuky can execute precise attacks following the initial reconnaissance phase.
To distribute the RandomQuery malware, Kimsuky continues to rely on Microsoft Compiled HTML Help (CHM) files, a tactic they have employed consistently over an extended period. This approach allows them to deliver a variety of malware to their targets effectively.
To deceive their unsuspecting victims and network defenders, Kimsuky strategically employs new top-level domains (TLDs) and domain names for their malicious infrastructure. By imitating standard .com TLDs, they attempt to create a false sense of legitimacy, increasing the likelihood of their targets falling for their tricks.
Indicators of Compromise