N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks

The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging CHM files as attack vectors in the delivery phase to deploy malware for harvesting sensitive data. Kimsuky has been active for over 10 years and is notorious for targeting entities in South Korea, North America, Europe, and Asia, gathering intelligence relative to North Korea’s interests. Kimsuky has updated their tactics over the years in response to ever-evolving modern security measures. CHM files can be exploited to distribute malware because they can execute JavaScript when opened. Researchers discovered the header of the file contains a Windows Language ID value of “0412” for Korean, providing evidence that this attack may be conducted by Korean adversaries. This, combined with the similarity of the attack chain with past incidents, links this attack to Kimsuky. The sensitive information is gathered in .txt files and sent to the C2 server. The files are then deleted from the local system and the attacker has the option to begin sending new code back to the victim. The United Nations has attributed 58 suspected cyberattacks to North Korea over the last 6 years, netting 3 billion in revenue, which was then reappropriated to further develop their nuclear weapons program.

Security Officer Comments:
The continuous arms race between threat actors and defensive security professionals is highlighted by the new reconnaissance and initial access tactics performed by Kimsuky in this recent attack. By utilizing ZIP or ISO files as a container for the malicious CHM executable, threat groups like Kimsuky are able to bypass common preventative defense measures. Since the focus of this APT is exfiltration of sensitive information, Kimsuky’s goal is to remain undetected during the initial intrusion. This development arrives as Symantec uncovers another recent Kimsuky campaign targeting Korean organizations by impersonating a legitimate Korean government organization’s application. Kimsuky has been observed using ChatGPT and large language models, highlighting their search for new undefendable initial access tactics.

Suggested Corrections:
CISA offers important mitigations against Kimsuky attacks which include enabling safeguards against spearphishing, using of multi-factor authentication, and user awareness training.

Rapid7 Labs researchers have published new IOCs relevant to this campaign here: