new undetectable hacking tool used by cybercriminals

Kimsuky is an advanced persistent threat (APT) organization that originates from North Korea and has a long history of launching targeted attacks around the world. Based on what is currently known about the organization, they have primarily been tasked with conducting intelligence-gathering and espionage activities on behalf of the North Korean government since at least 2012. Throughout history, Kimsuky’s goals have been They have spread to various nations. in North America, Asia and Europe. In its most recent efforts, the organization has continued its global focus strategy, which focuses on a variety of contemporary geopolitical concerns. Kimsuky’s most recent announcements, for example, have focused on the nuclear agendas between China and North Korea; these agendas are relevant to the ongoing confrontation between Russia and Ukraine. The experts they call this component of BabyShark as ReconShark.

During a recent campaign, Kimsuky targeted employees of the Korea Risk Group (KRG), which is an information and analysis organization that specializes in issues that have direct and indirect effects on the Democratic People’s Republic of Korea (DPRK). Kimsuky continues to use phishing emails that he has carefully crafted himself in order to implement ReconShark. In particular, spear-phishing emails are created with a custom-designed quality grade for certain people, increasing the chance that the email will be opened by the target. This involves using the correct format, language, and visual cues to make the content seem authentic to readers who aren’t paying attention. In particular, both targeted emails, which include links to download harmful documents, and the malicious documents themselves.

Kimsuky’s nefarious emails include a link that, when clicked, will direct the recipient to a file that requires a password to access. More recently, they started hosting the infected document for download on Microsoft OneDrive, which is a cloud storage service. Extracting information about the infected platform is the main function of ReconShark. This includes information about current processes, information about the battery that is attached to the device, and information about endpoint threat detection measures that have been implemented.

Similar to previous iterations of BabyShark, ReconShark relies on Windows Management Instrumentation (WMI) to query for process and battery information. ReconShark does more than steal information; it also distributes additional payloads in a multi-stage process. These payloads can be compiled as scripts (VBS, HTA, and Windows Batch), macro-enabled Microsoft Office templates, or Windows DLLs. The types of detection mechanism processes that are active on the compromised computers are taken into account when ReconShark chooses which payloads to send.

To avoid detection by static analysis methods, some ReconShark streams are encoded using a fairly simple encryption. Typically, the instructions or scripts contained within these strings are for downloading and/or executing payloads. All of the infrastructure that has been discovered as part of this campaign is hosted on a shared hosting server provided by NameCheap. The operators of the Kimsuky malware used to use LiteSpeed ​​Web Server (LSWS) to manage the harmful functionality. Kimsuky’s continued attacks and its use of the innovative ReconShark reconnaissance tool provide insight into the changing nature of North Korea’s threat environment. Organizations and individuals need to be aware of the tactics and techniques of this group.

He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.

Send news tips to [email protected] or www.instagram.com/iicsorg/

You can also find us on Telegram www.t.me/noticiasciberseguridad