Article Details

It's 2024 and North Korea's Kimsuky gang is exploiting Windows Help files. New infostealer may indicate a shift in tactics – and maybe targets too, beyond Asia. North Korea's notorious Kimsuky cyber crime gang has commenced a campaign using fresh tactics, according to infosec tools vendor Rapid7. A Wednesday post explains that the crew – also known as Black Banshee, Thallium, APT 43 and Velvet Chollima – has a long history of trying to lift info from government agencies and outfits like think tanks, probably to gather intelligence that Kim Jong Un's regime might find valuable. Kimsuky's favorite tactic is spear phishing, sometimes after a lengthy social engineering effort from correspondents posing as academics or media. Past attacks have seen victims sent a questionnaire laden with malware. Rapid7 isn't sure how the gang distributes its latest attack, but is confident the payload includes poisoned Microsoft Compiled HTML Help (CHM) files along with ISO, VHD, ZIP and RAR files. CHM files can include text, images, and hyperlinks. Kimsuky is probably more interested in them because they can execute JavaScript. Rapid7's researchers cracked open one of the CHM files they believe is the work of Kimsuky and found "an example of using HTML and ActiveX to execute arbitrary commands on a Windows machine, typically for malicious purposes." The malicious purpose in this case is installing a VBScript and modifying the Windows registry to ensure the gang's scripts run at system startup. The script harvests info about the victim's machine, the processes it is running as well as recent Word files, and then lists directories and their contents. Rapid7's post details another couple of techniques used to install infostealers – again using CHM files. The firm has detailed indicators of compromise here. Rapid7 chief scientist Raj Samani told The Register his team has moderate confidence this technique is the work of Kimsuky, and that the target of the campaign is South Korea – an assertion supported by many filenames in Korean found in the payload. Samani, however, believes that Kimsuky may be spreading beyond its usual hunting grounds of Asia. He notes that Germany's Bundesamt für Sicherheit in der Informationstechnik – the nation's federal infosec agency – lists Kimsuky as active within German borders. The Register put it to Samani that poisoned CHM files aren't new, which he acknowledged – but retorted by pointing out that they may be a blind spot in some orgs' defenses. "We are dealing with individuals that are innovative and understand defenses," he warned. Samani is uncertain if Kimsuky has a particular target for its latest campaign, but suggested Rapid7 will be in a position to offer a more detailed assessment in around April.