www.theregister.com
Open in
urlscan Pro
104.18.5.22
Public Scan
URL:
https://www.theregister.com/2024/03/21/kimsuky_chm_file_campaign/
Submission: On March 22 via api from TR — Scanned from DE
Submission: On March 22 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customize Settings Sign in / up TOPICS Security SECURITY All SecurityCyber-crimePatchesResearchCSO (X) Off-Prem OFF-PREM All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem ON-PREM All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector (X) Software SOFTWARE All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat OFFBEAT All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) Special Features SPECIAL FEATURES All Special Features Cloud Infrastructure Week Cybersecurity Month Blackhat and DEF CON Sysadmin Month The Reg in Space Emerging Clean Energy Tech Week Spotlight on RSA Energy Efficient Datacenters VENDOR VOICE Vendor Voice VENDOR VOICE All Vendor Voice Amazon Web Services (AWS) Business Transformation Amazon Web Services (AWS) New Horizon in Cloud Computing DDN Google Cloud Data Transformation Hewlett Packard Enterprise: AI & ML solutions Hewlett Packard Enterprise: Edge-to-Cloud Platform Intel vPro VMware (X) Resources RESOURCES Whitepapers Webinars & Events Newsletters RESEARCH 2 IT'S 2024 AND NORTH KOREA'S KIMSUKY GANG IS EXPLOITING WINDOWS HELP FILES 2 NEW INFOSTEALER MAY INDICATE A SHIFT IN TACTICS – AND MAYBE TARGETS TOO, BEYOND ASIA Simon Sharwood Thu 21 Mar 2024 // 05:30 UTC North Korea's notorious Kimsuky cyber crime gang has commenced a campaign using fresh tactics, according to infosec tools vendor Rapid7. A Wednesday post explains that the crew – also known as Black Banshee, Thallium, APT 43 and Velvet Chollima – has a long history of trying to lift info from government agencies and outfits like think tanks, probably to gather intelligence that Kim Jong Un's regime might find valuable. Kimsuky's favorite tactic is spear phishing, sometimes after a lengthy social engineering effort from correspondents posing as academics or media. Past attacks have seen victims sent a questionnaire laden with malware. Rapid7 isn't sure how the gang distributes its latest attack, but is confident the payload includes poisoned Microsoft Compiled HTML Help (CHM) files along with ISO, VHD, ZIP and RAR files. CHM files can include text, images, and hyperlinks. Kimsuky is probably more interested in them because they can execute JavaScript. Rapid7's researchers cracked open one of the CHM files they believe is the work of Kimsuky and found "an example of using HTML and ActiveX to execute arbitrary commands on a Windows machine, typically for malicious purposes." The malicious purpose in this case is installing a VBScript and modifying the Windows registry to ensure the gang's scripts run at system startup. The script harvests info about the victim's machine, the processes it is running as well as recent Word files, and then lists directories and their contents. Rapid7's post details another couple of techniques used to install infostealers – again using CHM files. * Seoul accuses North Korea of stealing southern chipmakers' designs * Cred-stealing trojan harvests logins from Chromium browsers, Outlook and more, warns Cisco Talos * North Korea running malware-laden gambling websites as-a-service * OpenAI shuts down China, Russia, Iran, N Korea accounts caught doing naughty things The firm has detailed indicators of compromise here. Rapid7 chief scientist Raj Samani told The Register his team has moderate confidence this technique is the work of Kimsuky, and that the target of the campaign is South Korea – an assertion supported by many filenames in Korean found in the payload. Samani, however, believes that Kimsuky may be spreading beyond its usual hunting grounds of Asia. He notes that Germany's Bundesamt für Sicherheit in der Informationstechnik – the nation's federal infosec agency – lists Kimsuky as active within German borders. The Register put it to Samani that poisoned CHM files aren't new, which he acknowledged – but retorted by pointing out that they may be a blind spot in some orgs' defenses. "We are dealing with individuals that are innovative and understand defenses," he warned. Samani is uncertain if Kimsuky has a particular target for its latest campaign, but suggested Rapid7 will be in a position to offer a more detailed assessment in around April. ® Get our Tech Resources Share MORE ABOUT * Cybercrime * Malware * North Korea More like these × MORE ABOUT * Cybercrime * Malware * North Korea * South Korea * Windows NARROWER TOPICS * Advanced persistent threat * BSoD * NAVER * NCSC * PowerShell * Remote Access Trojan * Windows 10 * Windows 11 * Windows 2000 * Windows 7 * Windows 8 * Windows Server * Windows Subsystem for Linux * Windows XP BROADER TOPICS * APAC * Microsoft * Operating System * Security MORE ABOUT Share 2 COMMENTS MORE ABOUT * Cybercrime * Malware * North Korea More like these × MORE ABOUT * Cybercrime * Malware * North Korea * South Korea * Windows NARROWER TOPICS * Advanced persistent threat * BSoD * NAVER * NCSC * PowerShell * Remote Access Trojan * Windows 10 * Windows 11 * Windows 2000 * Windows 7 * Windows 8 * Windows Server * Windows Subsystem for Linux * Windows XP BROADER TOPICS * APAC * Microsoft * Operating System * Security TIP US OFF Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE SUPERMIUM DRAGS GOOGLE CHROME BACK IN TIME TO WINDOWS XP, VISTA, AND 7 If you really need obsolete OSes, here's a modern(ish) browser OSes16 days | 49 MICROSOFT DEFENDS BARGING IN ON CHROME WITH POP-UP ADS PUSHING BING, GPT-4 We thought you people wanted choice, IT colossus sniffs Applications6 days | 62 UPDATES ARE PLENTY BUT FANS ARE FEW IN WINDOWS 11 LAND Copilot failed to shift the dial. Could Moment 5 and upcoming invitations do the trick? OSes17 days | 115 REDUCING THE CLOUD SECURITY OVERHEAD Why creating a layered defensive strategy that includes security by design can help address cloud challenges Sponsored Feature FUJITSU REVEALS MALWARE INSTALLED ON INTERNAL SYSTEMS, RISK OF CUSTOMER DATA SPILL Sneaky software slips past shields, spurring scramble Security3 days | 4 INTERNATIONAL EFFORT TO DISRUPT CYBERCRIME MOVES INTO OPERATIONAL PHASE Will the WEF experiment work? Cyber-crime7 days | 22 CHATGPT SIDE-CHANNEL ATTACK HAS EASY FIX: TOKEN OBFUSCATION Infosec in brief Also: Roblox-themed infostealer on the prowl, telco insider pleads guilty to swapping SIMs, and some crit vulns Security4 days | 2 MICROSOFT WAITED 6 MONTHS TO PATCH ACTIVELY EXPLOITED ADMIN-TO-KERNEL VULNERABILITY Infosec in brief PLUS: NSA shares cloud security tips; Infosec training for Jordanian women; Critical vulnerabilities Security11 days | 10 MICROSOFT DRAGS WINDOWS SUBSYSTEM FOR ANDROID INTO THE TRASH Amazon Appstore tieup fizzles out, too OSes16 days | 55 SOUTH KOREA CRACKS DOWN ON OFFSHORE E-COMMERCE, WITH SEEMING FOCUS ON CHINA Seoul wants AliExpress and Temu to step up customer service, maybe Meta too Public Sector9 days | CRYPTO SCAMS MORE COSTLY TO THE US THAN RANSOMWARE, FEDS SAY Latest figures paint grim picture of how viciously the elderly are targeted Cyber-crime2 days | 9 SOUTH KOREA GOES OUT ON A LIMB TO MANAGE FORESTS WITH AI, SATELLITES Plans to digitally transform trees Public Sector8 days | 1 The Register Biting the hand that feeds IT ABOUT US * Contact us * Advertise with us * Who we are OUR WEBSITES * The Next Platform * DevClass * Blocks and Files YOUR PRIVACY * Cookies Policy * Your Consent Options * Privacy Policy * Ts & Cs Copyright. All rights reserved © 1998–2024