- Microsoft IIS Servers Targeted by Lazarus - August 18, 2023
- AI-Powered Hacker Threats - August 18, 2023
- Attacks Against Ukraine and Poland Continue to Use the PicassoLoader Malware - August 18, 2023
According to cybersecurity researcher SentinelOne, the North Korean APT organization Kimsuky is actively conducting an intelligence operation. Informational agencies and groups that aid North Korean defectors and advocates for human rights are their main areas of interest.
Since May 5th, 2023, an operation utilizing the RandomQuery malware has been discovered. This tailored malware is specifically designed for file enumeration and sensitive data exfiltration.
The North Korean APT outfit uses phishing emails that seem to be correspondence from the South Korean newspaper Daily NK in a number of targeted attacks. In order to run a Visual Basic script, the emails persuade recipients to open a Microsoft Compiled HTML Help (CHM) file. From a distant server, this script retrieves the second-stage payload, which consists of VBScript versions of RandomQuery.
North Korean Hackers’ Data Collection Tactics and Previous Targeted Attacks
The malware’s data collection and transmission to the C2 server includes:
- System metadata;
- Information on running processes and installed applications;
- Files located in various folders.
North Korean hacker groups have gained notoriety for their frequent assaults on neighboring entities. In a previous article published in April, we highlighted cybercriminals from North Korea targeting South Korean politicians and government officials. Additionally, in March, we reported on attacks launched against multiple state and financial institutions in South Korea.