The North Korean state-sponsored APT group known as Kimsuky has been observed using a new malware component called ReconShark.
According to an advisory published by SentinelOne security researchers on Thursday, ReconShark is distributed through targeted spear-phishing emails, which contain OneDrive links that lead to downloading documents and activating harmful macros.
“The spear-phishing emails are made with a level of design quality tuned for specific individuals, increasing the likelihood of opening by the target. This includes proper formatting, grammar, and visual clues, appearing legitimate to unsuspecting users,” explained SentinelOne’s Tom Hegel and Aleksandar Milenkoski.
“Notably, the targeted emails, which contain links to download malicious documents, and the malicious documents themselves, abuse the names of real individuals whose expertise is relevant to the lure subject such as political scientists.”
The Microsoft Office macros are triggered when a document is closed and carry out a more advanced version of the reconnaissance function found in Kimsuky’s BabyShark malware.
“The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses,” reads the advisory.
Read more on Kimsuky here: North Korean Hackers Impersonate Researchers to Steal Intel
ReconShark, unlike previous variants, does not save gathered information on the file system. Instead, the malware keeps the data in string variables and sends it to a command-and-control (C2) server via HTTP POST requests. ReconShark can also install additional payloads, such as scripts or DLL files, based on the detection mechanism processes found on the infected machines.
Hegel and Milenkoski further explained that the group’s recent campaigns focused on global issues and targeted audiences worldwide.
“For example, the latest Kimsuky campaigns have focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine,” reads the technical write-up.
The SentinelOne team recently noticed a campaign targeting Korea Risk Group (KRG) employees. KRG is a firm that specializes in analyzing matters that have a direct or indirect impact on the Democratic People’s Republic of Korea (DPRK).
“Our assessment is that the same campaign has been used to continue targeting other organizations and individuals in at least the United States, Europe, and Asia, including think tanks, research universities, and government entities,” Hegel and Milenkoski warned.
The SentinelOne advisory comes weeks after Mandiant revealed a new North Korean APT group possibly associated with Kimsuky.