North Korean APT Spreads New Malware Using False Microsoft OneDrive Links

North Korean APT Spreads New Malware Using False Microsoft OneDrive Links

With a new spear-phishing campaign using Microsoft OneDrive links in documents loaded with malicious macros that launch brand-new reconnaissance software, the North Korean cyber espionage organization Kimsuky has increased the scope of its attacks. In addition, SentinelLabs researchers noticed a new campaign from the threat actor targeting employees of Korea Risk Group (KRG), a research and analysis company focusing on issues that directly and indirectly affect the Democratic People’s Republic of Korea (DPRK).

According to a recent blog post, they believe the same effort is also being used to target students at colleges – a new victim pool for Kimsuky — and more traditional targets, including governmental institutions, research facilities, and think tanks in North America, Europe, and Asia. Tom Hegel and Aleksandar Milenkoski of SentinelOne noted in the report that the campaign depicts the well-known APT using new malware called ReconShark, which is a part of and named for a bespoke malware version called BabyShark previously employed in campaigns toward the end of last year.

Based on similarities in file naming conventions, used malware staging tactics, and code format, the researchers concluded that ReconShark could exfiltrate information, including deployed detection systems and hardware details, to obtain access to targeted networks. According to the researchers’ report, the malware looks to be “part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses.”

Although spear-phishing is frequently a component of Kimsuky’s operation, the gang is making an extra effort to carefully create emails in the most recent campaign so they don’t raise suspicion. Notably, the researchers said both the targeted emails, which include links to download harmful papers, and the malicious documents themselves make fun of the names of genuine people with knowledge related to the luring issue, including political scientists, said the researchers.

The malicious document made available for download in the mail and contains macros that launch ReconShark was expressly hosted by the campaign against KRG on Microsoft OneDrive. For instance, a lure email used in the campaign featured a link to a password-protected document file called “Research Proposal-Haowen Song.doc” on OneDrive that, per the researchers, contained a malicious macro for downloading the malware.

ReconShark’s primary duty after downloading is to exfiltrate data from the infected platform, including implemented endpoint threat detection methods, information about the batteries connected to the machine, and active processes. The malware uses Windows Management Instrumentation (WMI) to query process and battery statistics, which makes it comparable to earlier BabyShark versions, they noted. However, ReconShark is capable of more than merely stealing system information. They said it is also capable of multi-stage deployment of additional payloads, including those implemented as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLL files.

“ReconShark decides what payloads to deploy depending on what detection mechanism processes run on infected machines,” the researchers wrote in the post.

Since 2018, Kimsuky, also known as Thallium, has been on the radar of several academics. Its prior activity, which SentinelOne claims goes back to 2012, has been extensively publicized. In early attacks, the gang primarily concentrated on cyber espionage against academic institutes, geopolitical think tanks, and pharmaceutical businesses, especially during the height of the epidemic. Even though Kimsuky’s latest actions have increased its notoriety among security experts, the organization continues to grow despite this. In reality, the new campaign demonstrates Kimsuky expanding the scope of its targets to include institutions, which Dror Liwer, co-founder of cybersecurity firm Coro, calls “worrying” given their generally weak cybersecurity defenses and awareness initiatives.

“We have seen a triple-digit increase in attacks on educational institutions in the US in the last year, which is driven by a perfect storm from an attacker’s perspective: Extremely valuable data, and lacking defenses,” he says in an email.

Overall, enterprises can fend off spear-phishing attempts from Kimsuky and other actors by following best practices for email security hygiene. For example, employ scanning tools to monitor incoming messages for suspicious behavior so that they are identified before they even reach users. In addition, experts said that educating staff members and anybody else using an organization’s email system may also help them recognize fraudulent communications that evade other security measures and prevent infiltration.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.

Share: