Share this article on:
Malicious .LNK files are old news – Kimsuky’s latest technique takes advantage of Compiled HTML Help files to gather intelligence.
Cyber security researchers have observed a change in the tactics of the North Korean Kimsuky hacking group.
Rapid7 Labs has been tracking the threat actor for some time and has tracked its evolution from first using malicious ISO files and Office documents to gain initial network access to using .LNK files at the beginning of last year.
Now, however, Rapid7’s researchers have observed Kimsuky taking advantage of Compiled HTML Help files, usually via RAR and ZIP files or ISOs. These files are designed mainly as help documents and contain search capabilities, images, text, and hyperlinks, just like a web page.
But they can also execute JavaScript, making them ideal for distributing malware.
In Kimsuky’s case, the hackers are using a Compiled HTML Help, or CHM, that Rapid7 is calling the “nuclear lure”. This CHM document is written in Korean, on a Korean-language version of Windows, and contains several files that appear to pertain to North Korea’s use of nuclear weapons, including strategies, research, and models of how North Korea might employ such weapons.
Once a curious reader opens the file, though, the malicious process begins. The file uses a combination of HTML and ActiveX to run arbitrary code on a Windows PC, installing an obfuscated piece of VBScript into the user’s Links directory. A new entry is made in the machine’s registry, as well, ensuring that VBScript is run every time the PC restarts.
When communication is established with the threat actor’s command and control servers, data – such as details of the PC, running processes, and recent Word files – can be collected from the user’s machine and uploaded back to the C2 infrastructure.
After analysing this particular file, Rapid7 was able to refine its search parameters, and – perhaps unsurprisingly – found more malicious CHM files in circulation, with slightly different data being gathered.
“The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims,” Rapid7 concluded.
So far, this campaign has only targeted organisations in South Korea, though Kimsuky has been seen plying its espionage wares all across the APAC region in the past. We expect this new campaign will eventually spread beyond Korea’s borders soon.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.