The dangerous actor linked to North Korea known as Kimsuky (also known as Black Banshee, Emerald Sleet, or Springtail) has been observed changing tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver sensitive data-gathering malware.
Kimsuky, active since at least 2012, is known to target entities located in South Korea, North America, Asia and Europe.
According to Rapid7, the attack chains weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files, while the group also used CHM files to deploy malware on compromised hosts.
The cybersecurity firm attributed the activity to Kimsuky with moderate confidence, citing similar business practices observed in the past.
“Although originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as malware distribution, because they can execute JavaScript when opened,” the company said.
The CHM file is propagated within an ISO, VHD, ZIP, or RAR file, opening which runs a Visual Basic script (VBScript) to set up persistence and reach a remote server to retrieve a next stage payload responsible for collection and sensitive data exfiltration.
Rapid7 described the attacks as continuous and evolving, targeting organizations based in South Korea. It also identified an alternative infection sequence that uses a CHM file as a starting point to release batch files tasked with gathering the information and a PowerShell script to connect to the C2 server and transfer data.
“The modus operandi and reuse of code and tools shows that the threat actor is actively using and refining/reshaping his techniques and tactics to gather information from victims,” he said.
The development comes as Broadcom-owned Symantec revealed that Kimsuky authors are distributing malware that masquerades as an application from a legitimate Korean government agency.
“Once compromised, the dropper installs Endor backdoor malware,” Symantec said. “This threat allows attackers to collect sensitive information from the victim or install additional malware.”
It is worth noting that Golang-based Endoor, along with Troll Stealer (also known as TrollAgent), was recently used in connection with cyberattacks targeting users who download security programs from a Korean association’s website related to construction.
The findings also come in the context of a United Nations-initiated investigation into 58 suspected cyberattacks carried out by North Korean state actors between 2017 and 2023 that brought in $3 billion in illegal revenue to help it further develop its weapons program nuclear.
“The high volume of cyberattacks by hacker groups subordinate to the Reconnaissance General Bureau reportedly continued,” the report reads. “Trends include targeting defense companies and supply chains and, increasingly, sharing infrastructure and tools.”
The Reconnaissance General Bureau (RGB) is North Korea’s main foreign intelligence service, comprising widely monitored threat groups such as the Lazarus Group – and its subordinate elements, Andariel and BlueNoroff – and Kimsuky.
“Kimsuky has shown interest in using generative AI, including large language models, potentially to code or write phishing emails,” the report further adds. “Kimsuky was observed using ChatGPT.”