North Korean hackers use “nuclear lure” to trick and run new attack


North Korea’s nuclear threats are now being exploited by North Korean hackers known as Kimsuky as a lure for victims to open malicious payloads. Here’s how the threat actor updated their playbook.

Kimsuky is a North Korea-based cyber espionage group, focused on targeting South Korean government entities, think tanks, and individuals. They have also expanded operations in the US, Russia, Europe, and elsewhere to collect intelligence on foreign policy, national security issues related to the Korean peninsula, nuclear policy, and sanctions, according to MITRE.

Researchers from Rapid7 Labs observed Kimsuky, also known as Black Banshee or Thallium, using updated tactics to target victims.

ADVERTISEMENT

Previously, Kimsuky used weaponized Office documents and ISO files, and, beginning last year, they also abused shortcut (LNK) files. By disguising LNK files as benign documents or files, the attackers trick users into executing them. However, those files usually contain hidden PowerShell commands or even full binaries.

Recently, Kimsuky started using nuclear topics as a lure to entice targeted individuals into opening new types of files. Some examples of filenames in Korean include:

  • North Korean nuclear crisis escalation model and determinants of nuclear use.html
  • North Korea's nuclear strategy revealed in 'Legalization of Nuclear Forces'.html”
  • Factors and types of North Korea’s use of nuclear weapons.html

Such files were part of a larger Compiled HTML Help (CHM) file, delivered in multiple ways, usually as ISO, ZIP, RAR, or VHD archive, to bypass the first line of defense. This represents updated new tactics.

CHM is a format developed by Microsoft to contain a collection of HTML pages together with a table of contents, index, and text search capability. CHM files are used to help documentation in a structured, navigable format. Packaged in a single compressed file with a .chm extension, HTML documents in this file can include rich text with images or hyperlinks, similar to webpages.

Not only that – hackers found that CHM can be used to deliver and execute malicious payloads.

Rapid7 provided an example of HTML and ActiveX that Kimsuky used to execute arbitrary commands on a Windows machine.

When a victim opens “nuclear strategy,” the victim's machine runs VBScript, which plants multiples of batch (.bat) and VBS files for command execution and adds entries to the Registry to maintain persistence.

ADVERTISEMENT

The code would collect basic system information, such as computer names, OS details, and hardware. Other functions in the code collect running processes, recent Word files, and lists of directories. The collected information would then be sent to control servers.

Kimsuky tactics

“In our case, the actor was interested in the content of the Downloads folder,” researchers write. “The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims.”

Telemetry enabled researchers to confirm that they have identified targeted attacks against entities based in South Korea. They warn that updated Kimsuky’s playbook underscores the dynamic nature of cyber espionage and the continuous arms race between threat actors and defenders.