Kimsuky, a North Korea-based APT group, has been spotted using a custom malware RandomQuery in a reconnaissance and information exfiltration operation. Kimsuky has been active since 2012 and its target patterns align with the operational priorities of the North Korean regime.
RandomQuery - More than just recon tool
The recent activity started on May 5 and uses a variant of RandomQuery, along with several additional tools and tactics.
The ongoing campaign has been observed targeting North Korea-focused information services, DPRK-defector support organizations, and human rights activists.
The threat group distributes RandomQuery with the use of Microsoft Compiled HTML Help (CHM) files.
This is a tried and tested tactic used by Kimsuky for delivering different types of malware in the past several years.
This variant of RandomQuery supports several additional features, such as keylogging, and deployment of additional malware on the target machine.
Additional tools and tactics
The threat group strategically uses new TLDs and domain names for its malicious infrastructure, mimicking standard .com TLDs to fool unsuspecting targets and network security.
The attacks commence with phishing emails pretending to be from Daily NK, an online publication covering North Korean affairs, to attract targets into opening a CHM file.
In addition to RandomQuery, other frequently used tools include AppleSeed and FlowerPower.
In addition, the attackers also deploy the TutRAT and xRAT to obtain remote control on the infected machine.
Intelligence missions by the threat group involves the use of different types of malware such as ReconShark, spotted by SentinelOne in early May.
Concluding note
Kimsuky seems to be continuously enhancing its attack toolkit and performing political espionage and other activities. This highlights the importance of having a proactive approach toward cyber defense and having a collaborative effort with other organizations and the public and private sectors. A real-time threat intelligence exchange platform can help fend off the threats from RandomQuery and other similar custom espionage tools.