HQ/EMEAFind out how we can help your business
The North Korea-based advanced persistent threat group, Kimsuky, uses the RandomQuery malware to execute their reconnaissance and information-stealing activities. This malicious threat group has been active for over a decade and has an obvious targeting pattern favouring the North Korean regime. However, the group has recently employed new tactics to improve its attack process.
Based on reports, the recent activity of the Kimsuky group occurred earlier this month and used a variant of the RandomQuery malware. In addition to the malware, the group employed several tools and tactics for their campaigns.
An analysis revealed that the North Korean APT group has an ongoing cybercriminal operation that targets North Korea-focused DPKR-defector support organisations, human rights activists, and information services.
Kimsuky spreads RandomQuery malware via CHM files.
According to investigations, the Kimsuky APT group spreads the RandomQuery malware through MS Compiled HTML Help file. This technique has been the go-to move of the North Korean threat group for propagating different malware strains in the past years.
The confirmed capabilities of the new RandomQuery strain include keylogging and deployment of additional payloads on the compromised device. Moreover, the group strategically utilises new TLDs and domain names for its compromised infrastructure and impersonates common [.]com TLDs to deceive unknowing targets and network security.
The threat campaign initiates with phishing emails that pretend to be from an online publication that covers North Korean affairs called Daily NK. This strategy allows the attacks to attract their targets into opening a CHM file.
The researchers also stated that the group frequently used malicious tools like FlowerPower, AppleSeed, and RandomQuery.
Furthermore, the threat group’s intelligence missions involve the usage of several malware strains like ReconShark. The latest intelligence mission that involves such a tool occurred earlier last month.
This notorious North Korean threat group has continuously adopted different attack tactics and conducted political espionage campaigns for several years. This detail shows that organisations should collaborate and apply a proactive approach to increase cybersecurity strength. Experts explained that a real-time threat intelligence exchange platform could aid everyone in keeping cybercriminals at bay.
