North Korean state-sponsored advanced persistent threat (APT) group Kimsuky is using a new reconnaissance tool called ReconShark in its ongoing global campaign targeting organizations across Asia, North America, and Europe. According to cybersecurity firm SentinelLabs, the group is primarily assigned to intelligence collection and espionage operations in support of the North Korean government. The spear-phishing emails used in the latest campaign are specifically designed for certain individuals, with proper formatting, grammar, and visual clues to increase the likelihood of the target opening them.
ReconShark is a malware component that functions as a reconnaissance tool, which can exfiltrate valuable information about the infected platform, such as deployed detection mechanisms and hardware information. It is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses. ReconShark is delivered through specially crafted phishing emails containing links to download malicious documents that abuse the names of real individuals whose expertise is relevant to the lure subject.
The malware stores the information it collects in string variables and then uploads them to the command-and-control (C2) server by issuing HTTP POST requests. Kimsuky operators continually make use of LiteSpeed Web Server (LSWS) for managing the malicious functionality, while phishing emails are observed sending from the yonsei[.]lol domain, while rfa[.]ink and mitmail[.]tech are used for C2. All observed infrastructure in this campaign are hosted on a shared hosting server from NameCheap. James McQuiggan, Security Awareness Advocate at KnowBe4, commented:
"The group’s adoption of advanced spear phishing tactics demonstrates that social engineering is still the standard tool for gaining access to organizations through users and relying on old fashioned human psychology, misdirection and manipulation to access sensitive information. While technology helps protect networks, servers, endpoints and data, the human remains a fundamental vulnerability that cybercriminals will consistently exploit. Organizations should continue to educate their users as a priority. Monthly security awareness sessions and frequent simulated phishing exercises can help users identify and respond to potential spear phishing attacks more effectively. In the unfortunate event of a successful phishing attack, organizations should also establish robust incident response plans to ensure they can promptly detect, contain and remediate threats when they occur." ###