The Kimsuky APT group, believed to be backed by the North Korean state, has become an infamous name in the world of cyber espionage. This group targets government agencies, industry, and think tanks in South Korea to gather classified and sensitive information. In recent years, Kimsuky has been identified as a major actor in sophisticated cyber attacks, and one of its favored techniques for spreading malware is through CHM files.
The Kimsuky APT group is a cyber-espionage group that is believed to be associated with the North Korean regime. They have been known to target South Korean government, military, and nuclear websites, as well as international organizations and private-sector entities. They are also known to use social engineering tactics and spear-phishing attacks to gain unauthorized access to their targets’ networks and steal sensitive information.
Kimsuky APT is a North Korean state-backed hacking group that operates on behalf of the North Korean government for espionage purposes. The group primarily operates in South Korea, where it targets various organizations such as government agencies, industries, think tanks, and nuclear power operators. Kimsuky is known to use a variety of tactics to infiltrate these organizations, but their use of CHM files remains one of their favored methods.
Targets of Kim-suk-ky
Over the years, Kimsuky has targeted several agencies and organizations in South Korea, primarily to collect classified and sensitive information. These targets include:
1. South Korean think tanks.
2. Industry.
3. Nuclear power operators.
4. South Korean Ministry of Unification.
Period of operation
According to security experts, Kimsuky has been operating since 2012. Over time, the group has evolved from relatively simple tactics to more advanced methods.
Malware distribution through CHM files
The Kimsuky APT group has been using CHM files to distribute malware to targeted machines. These files are compressed HTML files that provide help materials, usually containing text, photos, and hyperlinks.
Attackers are known to use CHM files
The group uses phishing emails or other social engineering tactics to distribute these CHM files. They are sent as attachments with a subject line that appears relevant to the target users. Once the user clicks on the file, additional scripts are downloaded, which exfiltrate user information and install malware.
Information harvested from CHM files
Kimsuky uses CHM files to harvest user information such as passwords or account details. They can also download and install additional malware or create a backdoor to maintain access to the victim’s computer.
Based on the analysis of multiple attacks executed in May, security researchers found that Kimsuky used different subjects, such as cryptocurrency, tax accounting, and contracts in distributed files, instead of North Korean-related topics. The goal of diversifying the content is to make the malware more convincing to the victim and harder to detect.
The group chose the subject matter for CHM files based on current events or topics relevant to the target field to make them more appealing to the victims. The report shows a deeper level of planning in the group’s malware campaigns.
CHM files
A CHM file is a compressed HTML file that provides help material. It can contain text, photos, and hyperlinks. They are created to provide help and support to users of various software and applications.
Tactics used to trap victims
Kimsuky uses a variety of tactics to trap victims. They use document disguises to trick users into executing the malware and take advantage of their susceptibility, making them fall prey to the cyber threat.
Document disguises
The group disguises CHM files as documents, such as contracts, invitations, or tenders. Users may become victims and click on the document to execute the malware, assuming it came from a legitimate source.
Users’ susceptibility to falling prey
Kimsuky takes advantage of users’ habits of engaging with the software they think they need support with. They assume that the user will click on the link and execute the help window to get assistance without due caution.
Execution of Malware
Once the user clicks on the CHM file, additional scripts are downloaded to exfiltrate user information and install malware, including backdoors, Trojans, and other sophisticated types of malware.
Downloading additional scripts
The group downloads additional scripts or malware to silently harvest the targeted user’s data.
Exfiltration of user information
The Kimsuky group exfiltrates sensitive information such as passwords, account information, and other credentials for malicious use.
Prevention measures
Users must carefully check the senders of emails and refrain from opening files from unknown sources. They should also perform routine checks on their computers and update their security software to the latest version.
Verifying email sources
The first step is to verify that the email source and attachments are legitimate, and that you are expecting them.
Use caution when opening unknown files
Never click on unknown or unexpected attachments downloaded from the internet, as they may contain malware or viruses that can harm your PC.
Regular PC checks and updated security software
Regular PC checks help identify and remove any malware or suspicious files from the device. Users should keep their security software updated to prevent any breaches.
The Kimsuky APT group continues to employ sophisticated techniques to infiltrate various organizations, with CHM files being one of their primary tools. Their diverse clickbait content and document disguises provide a deeper level of planning in their campaigns. Users must be aware of the risk levels and potential vulnerabilities of the CHM file format, and they need to be vigilant while communicating and using such files for support and assistance. Implementing better protection measures will help safeguard users and ensure the security of their data.