Kimsuky APT Unleashes ReconShark to Enhance Victim Profiling Capabilities

Category: Threat Actor Activity | Industries: Government, Nuclear, Research, Think Tanks | Level: Tactical | Source: SentinelOne

North Korean threat group, Kimsuky is discovered to be deploying an evolved variant of its 'BabySkark' malware recognized as 'ReconShark.' As reported by SentinelOne's Senior Threat Researcher Tom Hegel, the malware aids Kimsuky operators with its ability to conduct system reconnaissance by fingerprinting the victim host and specifically identifying the security monitoring tools it’s using and exfiltrating the configuration to the attacker's C2. Notably, ReconShark does not store the recon locally on the targeted host rather, it'll exfiltrate the data to the C2 server through HTTP POST requests. "The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates ReconShark is part of a Kimsuky-orchestrated reconnaissance operation enabling subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses," as described by Tom Hegel. The targets of this campaign align with Kimsuky's previous intrusions, which focused on specific geopolitical topics, nuclear research, and think tanks. The campaign has a global scope, with organizations across Asia, the United States, and Europe all being targeted.

ReconShark is deployed through well-crafted spearphishing emails, tailored for specific targets with no spelling and design errors. The weaponized file of choice is macro-enabled Office documents, an interesting choice given the transition to container and OneNote files due to Microsoft's decision to block macros by default. "The attackers are likely looking for easy wins against outdated versions of Office or simply users enabling macros," says Tom Hegel in a statement to BleepingComputer. In addition to ReconShark's discovery capabilities, it can pulldown additional payloads based on the security mechanisms running on the targeted host. Payloads dropped have been observed to involve script-based payloads including VBS, HTA, and Windows Batch files, malicious DLL files, or Microsoft Office templates with macro functionality. During the payload deployment stage, the malware is made to execute by modifying the Windows shortcut files (LNK) linked to commonly used applications such as Chrome, Outlook, Firefox, or Edge. This results in the malware running automatically whenever the user launches any of these applications. "The payload staging ends with Windows Batch or VBS scripts that create the %AppData%\1 file with a content of ss or sss. These files may represent markers of a successful ReconShark execution," said Hegel.

Anvilogic Scenario:

• Document Execution with System Recon & Script Execution

Anvilogic Use Cases:

• Malicious Document Execution
• System Enumeration with WMIC
• Browser Version Discovery - Windows

‍