March 21, 2024 at 01:39AM
Kimsuky cyber crime gang, also known as Black Banshee, Thallium and APT 43, is employing new tactics to conduct their operations, particularly targeting South Korea. Rapid7 suspects their approach involves distributing malicious files, including CHM, ISO, VHD, ZIP, and RAR, and utilizing innovative techniques to execute arbitrary commands and harvest information from victims’ devices.
Based on the meeting notes, it is clear that North Korea’s Kimsuky cyber crime gang is using fresh tactics in their latest campaign. The gang, also known by various aliases such as Black Banshee, Thallium, APT 43, and Velvet Chollima, has a history of attempting to gather intelligence from government agencies and organizations like think tanks, most likely for the benefit of Kim Jong Un’s regime.
Kimsuky’s favored tactic is spear phishing, often preceded by a lengthy social engineering effort. They are currently distributing their latest attack through poisoned Microsoft Compiled HTML Help (CHM) files, along with ISO, VHD, ZIP, and RAR files. These CHM files can execute JavaScript and are being used to install VBScript and modify the Windows registry to ensure the gang’s scripts run at system startup. The payload contains filenames in Korean, indicating that the target of the campaign is likely South Korea, though there are indications that Kimsuky may be expanding their activities to Germany.
Rapid7’s chief scientist Raj Samani believes that Kimsuky’s latest techniques, while not entirely new, may still be a blind spot in some organizations’ defenses. He also suggested that Rapid7 will provide a more detailed assessment of the situation around April.
Overall, Kimsuky’s recent activities pose a significant threat, and organizations should be vigilant in updating their defenses to protect against these evolving tactics.