The North Korean Kimsuky operating group has been seen using a new version of its reconnaissance malware, called “ReconShark,” in a global cyberespionage campaign. One cybersecurity company stated that the threat actor had broadened its scope, targeting government organizations, research institutes, universities, and think tanks in the United States, Europe, and Asia. Kimsuky, known as Thallium and Velvet Chollima, began spreading malicious Chrome extensions targeting Gmail accounts and an Android spyware operating as a remote access trojan in March 2023, according to South Korean and German authorities. Another cybersecurity company disclosed a Kimsuky campaign targeting South Korean politicians, diplomats, university professors, and journalists with a multi-stage validation process ensuring only valid targets were infected with malicious payloads.

Details of ReconShark Malware Tool

Kimsuky uses well-crafted and personalized spear-phishing emails to infect its targets with the ReconShark malware, a method used by the threat group in all past campaigns. To avoid triggering any alerts on email security tools, the emails contain a link to a malicious password-protected document hosted on Microsoft OneDrive. The integrated ReconShark malware is activated when targets open the downloaded document and enable macros as directed. Following Microsoft’s decision to deactivate macros in downloaded Office documents by default, most threat actors turned to new file types for phishing attacks, including ISO files and OneNote documents. Threat operators are likely looking for easy targets against outdated versions of Office or users enabling macros. Kimsuky isn’t being particularly innovative, especially since the BabyShark malware family is still evolving.

Cybersecurity company analysts believe ReconShark is a development of Kimsuky’s “BabyShark” malware, which has been found deployed by APT43, an overlapping North Korean cyberespionage group that targets United States companies. ReconShark uses WMI to gather information about the infected system, including running processes and battery data. Additionally, it checks for the presence of security software with one cybersecurity company stating specific checks for Kaspersky, Malwarebytes, Trend Micro, and Norton Security products. The reconnaissance data is exfiltrated directly, with the malware transmitting everything to the C2 server using HTTP POST requests and not storing anything locally. The ReconShark’s ability to exfiltrate valuable information, including deployed detection mechanisms and hardware information, shows that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation allowing subsequent precision attacks that involves malware that’s tailored to evade defenses and exploit platform weaknesses.

ReconShark can also retrieve more payloads from the C2, giving Kimsuky a firmer footing on the infected system. With the addition of exfiltrating information, ReconShark deploys additional payloads in a multi-stage as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DDL files. ReconShark determines which payloads to deploy based on the detection mechanism processes running on infected machines. During the payload deployment stage, the malware is executed by editing Windows shortcut files (LNK) connected with popular applications, including Chrome, Outlook, Firefox, or Edge. Another way is to replace the default Microsoft Office template, Normal.dotm, with a malicious version hosted on the C2 server, causing malicious code to be loaded anytime users run Microsoft Word. Both strategies provide a stealthy mechanism for threat actors to infiltrate deeper into targeted systems, maintain persistence, and execute more payloads or orders as part of threat actors’ multi-stage attack. Kimsuky’s ingenuity and shape-shifting methods blur the distinction between its operation and other North Korean groups conducting more extensive campaigns, necessitating increased vigilance.

With threat operating groups utilizing new tools, tactics, and techniques to find gaps within networks’ security, companies must stay vigilant of the current threat landscape and regularly update their network security software to prevent future cyberattacks. At SpearTip, we offer gap analysis which allows our engineers to discover blind spots in companies by comparing technology and internal personnel that can lead to significant compromises. Identifying technical vulnerabilities inside and outside companies provides a deeper context to potential gaps in the environments. SpearTip’s professionals offer phishing and social engineering training as mitigation to enhance skills related to defending against these threats. The exercise tests the discernment of companies’ teams, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environments. Our team creates phishing emails and social engineering simulations similar to those threat actors use and sends them throughout the companies. We provide insight and feedback to improve the cyber defenses of companies’ teams, leading to a profound decrease in the likelihood of being victimized by phishing or social engineering scams. After the training, our team provides precise and thorough strategies to harden their environments and implement ongoing awareness training.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.