Unmasking Kimsuky APT Group’s New Wave of Malware: Devious North Korean Cyber Espionage Tactics

The Kimsuky APT group, believed to be backed by the North Korean state, has become an infamous name in the world of cyber espionage. This group targets government agencies, industry, and think tanks in South Korea to gather classified and sensitive information. In recent years, Kimsuky has been identified as a major actor in sophisticated cyber attacks, and one of its favored techniques for spreading malware is through CHM files.

The Kimsuky APT group is a cyber-espionage group that is believed to be associated with the North Korean regime. They have been known to target South Korean government, military, and nuclear websites, as well as international organizations and private-sector entities. They are also known to use social engineering tactics and spear-phishing attacks to gain unauthorized access to their targets’ networks and steal sensitive information.

Kimsuky APT is a North Korean state-backed hacking group that operates on behalf of the North Korean government for espionage purposes. The group primarily operates in South Korea, where it targets various organizations such as government agencies, industries, think tanks, and nuclear power operators. Kimsuky is known to use a variety of tactics to infiltrate these organizations, but their use of CHM files remains one of their favored methods.

Targets of Kim-suk-ky

Over the years, Kimsuky has targeted several agencies and organizations in South Korea, primarily to collect classified and sensitive information. These targets include:

1. South Korean think tanks.
2. Industry.
3. Nuclear power operators.
4. South Korean Ministry of Unification.

Period of operation

According to security experts, Kimsuky has been operating since 2012. Over time, the group has evolved from relatively simple tactics to more advanced methods.

Malware distribution through CHM files

The Kimsuky APT group has been using CHM files to distribute malware to targeted machines. These files are compressed HTML files that provide help materials, usually containing text, photos, and hyperlinks.

Attackers are known to use CHM files

The group uses phishing emails or other social engineering tactics to distribute these CHM files. They are sent as attachments with a subject line that appears relevant to the target users. Once the user clicks on the file, additional scripts are downloaded, which exfiltrate user information and install malware.

Information harvested from CHM files

Kimsuky uses CHM files to harvest user information such as passwords or account details. They can also download and install additional malware or create a backdoor to maintain access to the victim’s computer.

Based on the analysis of multiple attacks executed in May, security researchers found that Kimsuky used different subjects, such as cryptocurrency, tax accounting, and contracts in distributed files, instead of North Korean-related topics. The goal of diversifying the content is to make the malware more convincing to the victim and harder to detect.

The group chose the subject matter for CHM files based on current events or topics relevant to the target field to make them more appealing to the victims. The report shows a deeper level of planning in the group’s malware campaigns.

CHM files

A CHM file is a compressed HTML file that provides help material. It can contain text, photos, and hyperlinks. They are created to provide help and support to users of various software and applications.

Tactics used to trap victims

Kimsuky uses a variety of tactics to trap victims. They use document disguises to trick users into executing the malware and take advantage of their susceptibility, making them fall prey to the cyber threat.

Document disguises

The group disguises CHM files as documents, such as contracts, invitations, or tenders. Users may become victims and click on the document to execute the malware, assuming it came from a legitimate source.

Users’ susceptibility to falling prey

Kimsuky takes advantage of users’ habits of engaging with the software they think they need support with. They assume that the user will click on the link and execute the help window to get assistance without due caution.

Execution of Malware

Once the user clicks on the CHM file, additional scripts are downloaded to exfiltrate user information and install malware, including backdoors, Trojans, and other sophisticated types of malware.

Downloading additional scripts

The group downloads additional scripts or malware to silently harvest the targeted user’s data.

Exfiltration of user information

The Kimsuky group exfiltrates sensitive information such as passwords, account information, and other credentials for malicious use.

Prevention measures

Users must carefully check the senders of emails and refrain from opening files from unknown sources. They should also perform routine checks on their computers and update their security software to the latest version.

Verifying email sources

The first step is to verify that the email source and attachments are legitimate, and that you are expecting them.

Use caution when opening unknown files

Never click on unknown or unexpected attachments downloaded from the internet, as they may contain malware or viruses that can harm your PC.

Regular PC checks and updated security software

Regular PC checks help identify and remove any malware or suspicious files from the device. Users should keep their security software updated to prevent any breaches.

The Kimsuky APT group continues to employ sophisticated techniques to infiltrate various organizations, with CHM files being one of their primary tools. Their diverse clickbait content and document disguises provide a deeper level of planning in their campaigns. Users must be aware of the risk levels and potential vulnerabilities of the CHM file format, and they need to be vigilant while communicating and using such files for support and assistance. Implementing better protection measures will help safeguard users and ensure the security of their data.

Explore more

Why is LinkedIn the Go-To for B2B Advertising Success?

In an era where digital advertising is fiercely competitive, LinkedIn emerges as a leading platform for B2B marketing success due to its expansive user base and unparalleled targeting capabilities. With over a billion users, LinkedIn provides marketers with a unique avenue to reach decision-makers and generate high-quality leads. The platform allows for strategic communication with key industry figures, a crucial

Endpoint Threat Protection Market Set for Strong Growth by 2034

As cyber threats proliferate at an unprecedented pace, the Endpoint Threat Protection market emerges as a pivotal component in the global cybersecurity fortress. By the close of 2034, experts forecast a monumental rise in the market’s valuation to approximately US$ 38 billion, up from an estimated US$ 17.42 billion. This analysis illuminates the underlying forces propelling this growth, evaluates economic

How Will ICP’s Solana Integration Transform DeFi and Web3?

The collaboration between the Internet Computer Protocol (ICP) and Solana is poised to redefine the landscape of decentralized finance (DeFi) and Web3. Announced by the DFINITY Foundation, this integration marks a pivotal step in advancing cross-chain interoperability. It follows the footsteps of previous successful integrations with Bitcoin and Ethereum, setting new standards in transactional speed, security, and user experience. Through

Embedded Finance Ecosystem – A Review

In the dynamic landscape of fintech, a remarkable shift is underway. Embedded finance is taking the stage as a transformative force, marking a significant departure from traditional financial paradigms. This evolution allows financial services such as payments, credit, and insurance to seamlessly integrate into non-financial platforms, unlocking new avenues for service delivery and consumer interaction. This review delves into the

Certificial Launches Innovative Vendor Management Program

In an era where real-time data is paramount, Certificial has unveiled its groundbreaking Vendor Management Partner Program. This initiative seeks to transform the cumbersome and often error-prone process of insurance data sharing and verification. As a leader in the Certificate of Insurance (COI) arena, Certificial’s Smart COI Network™ has become a pivotal tool for industries relying on timely insurance verification.