A North Korean advanced persistent threat (APT) actor is using a new malware called ReconShark in a global spear phishing campaign. The malware is capable of collecting and exfiltrating sensitive information to its command-and-control server and downloading executable files on targeted systems. The information gathered by the group is believed to be used for conducting precision follow on attacks on targeted individuals. The malware could be used to identify security weaknesses that could be exploited in future attacks, or the information gathered in the first phase of the attacks could allow malware to be developed specifically for each target to evade their security solutions.
The campaign was identified by researchers at SentinelOne, who have attributed the campaign to a North Korean threat actor called Kimsuky. Kimsuky is currently conducting campaigns linked to the Russia-Ukraine war and recent campaigns have focused on the nuclear agenda between China and North Korea. Campaigns have also recently been conducted targeting employees of the Korea Risk Group, which conducts analyses of matters that have a direct or indirect impact on the Democratic People’s Republic of Korea.
The spear phishing campaign uses emails with links to OneDrive documents that contain malicious macros. If the macros are executed, they silently deliver ReconShark malware. The spear phishing emails are carefully crafted for the targeted individuals to improve the probability of the emails being opened and the file being downloaded. The emails have a high design quality, are free from spelling mistakes, have perfect grammar, and lack the usual visual clues indicative of phishing attempts. The emails are spoofed to make them appear that they have been sent by real individuals and reference individuals who have expertise in the subject matter of the emails.
The new malware is capable of more advanced reconnaissance than the BabyShark malware previously used by Kimsuky. Rather than saving the collected information in the file system, ReconShark malware keeps the data in string variables and exfiltrates the information via HTTP POST requests. The malware can download and execute other files, such as DLLs or script files, which are tailored based on the security solutions discovered during the initial reconnaissance phase. The SentinelOne researchers note that this is a global campaign that has targeted individuals of interest in multiple countries, including the United States and multiple countries in Europe and Asia.