Kimsuky APT New Campaign Detection: North Korean Hackers Leverage Microsoft Compiled HTML Help Files in Ongoing Cyber Attacks

Hard on the heels of the DEEP#GOSU offensive campaign associated with the North Korean hacking collective Kimsuky APT, the group comes to the spotlight once again by shifting their adversary TTPs. Defenders have recently observed Kimsuky’s use of Microsoft Compiled HTML Help (CHM) files to spread malware and collect sensitive data from impacted instances.

Detect Kimsuky APT Latest Attacks

For the last few months, KIimsuky APT has continuously been in the spotlight due to the increasing range and sophistication of its campaigns. Posing a significant menace to cyber defenders globally, Kimsuky continuously shifts its TTPs to reach malicious goals while flying under the radar. 

To keep abreast of possible Kimsuky attacks, cybersecurity professionals require a reliable source of detection content paired with a next-gen toolset to streamline security operations. SOC Prime Platform for collective cyber defense offers curated Sigma rules addressing the latest malicious campaign by Kimsuky APT backed by advanced threat hunting and detection engineering solutions. 

Just hit Explore Detections and reach the extensive detection stack designed for identifying the latest Kimsuky’s TTPs. All detections are aligned with MITRE ATT&CK® framework v14.1 and enriched with actionable metadata and curated threat intel. 

Explore Detections

To enable defenders to proactively thwart intrusions posed by Kimsuky APT, SOC Prime Platform aggregates a broader selection of detection algorithms covering relevant adversary activity. Just search Threat Detection Marketplace by the “Kimsuky” tag based on the group identifier or follow this link.

Kimsuky Activity Overview: What’s Behind the Latest Campaign

Rapid7 researchers have recently observed novel activity attributed to the notorious North Korea’s Kimsuky gang. The hacking collective, which has been in the limelight in the cyber threat arena for over a decade, has mostly been focused on gathering intelligence with South Korean state bodies being among its primary targets along with organizations in North America, Asia, and Europe. Researchers have uncovered an updated playbook highlighting Kimsuky’s endeavors to evade detection, which points to a significant shift and evolution in the group’s TTPs.

Kimsuky has experimented with multiple attacker techniques, continuously shifting its adversary toolkit. Initially, the gang weaponized Office documents and ISO files, while over the last year, adversaries started exploiting shortcut files. For instance, in the recent campaign dubbed DEEP#GOSU, Kimsuky applied harmful LNK files embedded with PowerShell scripts that triggered an infection chain. In the latest malicous campaign, North Korean hackers employ Compiled HTML Help (CHM) files to drop malware and further collect intelligent data from the compromised hosts. 

According to the research, Kimsuky actors leverage CHM files, which are distributed via ISO, VHD, ZIP, or RAR archives, enabling threat actors to bypass detection. Upon extraction and opening one of the above-mentioned files, it triggers a VBScript that establishes persistence and connects to a remote server to retrieve a subsequent payload, which is capable of collecting and transmitting sensitive data. Although initially intended for help documentation, CHM files have been increasingly weaponized by attackers due to their capability to execute JavaScript upon opening. 

Kimsuky’s ongoing attacks observed in the most recent campaign mainly focus on organizations located in South Korea. Researchers also unveiled an alternate infection chain, which starts with a CHM file that initiates the dropping of batch files capable of information harvesting and a PowerShell script to establish a connection with the C2 server and facilitate data transfer.

The increasing volume of sophisticated attacks linked to the Kimsuky cyber crime gang and the continuous advancement of the group’s adversary techniques encourages defenders to enhance cyber resilience and proactive measures to minimize the risks of intrusions. Leveraging SOC Prime’s Attack Detective, forward-looking organizations can timely spot cyber defense blind spots, effectively address them, and prioritize detection and hunting procedures to preempt attacks they anticipate most.