• Fri. Oct 13th, 2023

RandomQuery: North Korea’s Covert Initiative to Monitor Human Rights Activists

Avatar photo

ByEsme Greene

Aug 8, 2023
North Korea's Covert Monitoring of Rights Activists
Esme Greene
Latest posts by Esme Greene (see all)

According to cybersecurity researcher SentinelOne, the North Korean APT organization Kimsuky is actively conducting an intelligence operation. Informational agencies and groups that aid North Korean defectors and advocates for human rights are their main areas of interest.

Since May 5th, 2023, an operation utilizing the RandomQuery malware has been discovered. This tailored malware is specifically designed for file enumeration and sensitive data exfiltration.

The North Korean APT outfit uses phishing emails that seem to be correspondence from the South Korean newspaper Daily NK in a number of targeted attacks. In order to run a Visual Basic script, the emails persuade recipients to open a Microsoft Compiled HTML Help (CHM) file. From a distant server, this script retrieves the second-stage payload, which consists of VBScript versions of RandomQuery.

North Korean Hackers’ Data Collection Tactics and Previous Targeted Attacks

The malware’s data collection and transmission to the C2 server includes:

  • System metadata;
  • Information on running processes and installed applications;
  • Files located in various folders.

North Korean hacker groups have gained notoriety for their frequent assaults on neighboring entities. In a previous article published in April, we highlighted cybercriminals from North Korea targeting South Korean politicians and government officials. Additionally, in March, we reported on attacks launched against multiple state and financial institutions in South Korea.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.