N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks
The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging Compiled HTML Help (CHM) files as vectors to deliver malware for harvesting sensitive data.
Kimsuky, active since at least 2012, is known to target entities located in South Korea as well as North America, Asia, and Europe.
According to Rapid7, attack chains have leveraged weaponized Microsoft Office documents, ISO files, and Windows shortcut (LNK) files, with the group also employing CHM files to deploy malware on compromised hosts.
The cybersecurity firm has attributed the activity to Kimsuky with moderate confidence, citing similar tradecraft observed in the past.
“While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened,” the company said.
The CHM file is propagated within an ISO, VHD, ZIP, or RAR file, opening which executes a Visual Basic Script (VBScript) to set up persistence and reach out to a remote server to fetch a next-stage payload responsible for gathering and exfiltrating sensitive data.
Rapid7 described the attacks as ongoing and evolving, targeting organizations based in South Korea. It also identified an alternate infection sequence that employs a CHM file as a starting point to drop batch files tasked with harvesting the information and a PowerShell script to connect to the C2 server and transfer the data.
“The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims,” it said.
The development comes as Broadcom-owned Symantec revealed that the Kimsuky actors are distributing malware impersonating an application from a legitimate Korean public entity.
“Once compromised, the dropper installs an Endoor backdoor malware,” Symantec said. “This threat enables attackers to collect sensitive information from the victim or install additional malware.”
It’s worth noting that the Golang-based Endoor,…
