Japan Warns of Attacks Linked to North Korean Kimsuky Hackers

Summary:
Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) has published a blog post warning about attacks targeting Japanese organizations by a North Korean APT group called Kimsuky. Phishing emails impersonating security and diplomatic organizations were observed being sent to targeted entities earlier this year, in March. According to JPCERT/CC, the emails are attached with a malicious ZIP file containing the following files with double file extensions:

  • (1)[omitted].docx[a large number of spaces].exe
  • (2) [omitted].docx[a large number of spaces].docx
  • (3) [omitted].docx[a large number of spaces].docx

As shown above, JPCERT/CC says that each file name contains a large number of spaces to hide the actual file extension. Two of the files are decoy documents whereas the EXE file leads to a malware infection. When the EXE file is executed, a VBS file is downloaded from an external source and executed using wscript[.]exe. This VBS file is designed to download PowerShell which includes a function called PokDoc that can be used to collect the following information from the compromised device:

  • System information
  • Process list
  • Network information
  • List of files in specific user folders (Downloads, Documents, Desktop)
  • User account information

This information is sent to a remote attacker-controlled URL and is used to check whether the device on which the EXE file was executed is in an analysis environment such as a sandbox, according to JPCERT/CC. Once this information is sent, the agency notes that another VBS file is created and executed on the victim’s system. Similar to the previous VBS file, the new file also downloads Powershell from an external source, which in this case is designed to function as a keylogger and steal data of interest from the targeted system.

Security Officer Comments:
The latest campaign targeting Japanese organizations appears to be primarily driven by cyber espionage, with North Korean actors seeking to gather information that could benefit their regime. In May 2024, the AhnLab Security Intelligence Center (ASEC) reported a similar campaign where a Compiled HTML Help (CHM) malware strain was used to target South Korean entities with keyloggers. This malware had previously been distributed in various formats, including LNK, DOC, and OneNote files. The latest variant observed by ASEC features more sophisticated obfuscation techniques to evade detection compared to earlier samples. With Kimsuky now extending its focus to countries like Japan, JPCERT/CC has issued a warning for organizations to remain vigilant against CHM files, which can contain executable scripts designed to deliver malware.

Suggested Corrections:
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.

Link(s):

https://blogs.jpcert.or.jp/en/2024/...kimsuky-targeting-japanese-organizations.html
https://www.bleepingcomputer.com/ne...tacks-linked-to-north-korean-kimsuky-hackers/