Summary: The North Korean hacking group Kimsuky has been observed using custom-built remote access tools in a recent campaign, marking a shift from older methods like PebbleDash. Their new tactics involve spear-phishing emails with malicious attachments that enable stealthy access to compromised machines. These evolving techniques highlight Kimsuky’s persistence and adaptability in cyber-espionage activities.
Affected: Organizations targeted by Kimsuky
Keypoints :
- Kimsuky is employing a modified version of RDP Wrapper for persistent access and to bypass security measures.
- The group now relies on customized remote access tools instead of traditional backdoors, allowing for stealthier operations.
- Infection chains initiate with spear-phishing emails containing manipulated .LNK files, indicating prior reconnaissance on victims.
- Secondary payloads deployed include keyloggers, credential stealers, and in-memory execution tools to enhance their foothold.
- Kimsuky’s tactics suggest a focus on prolonged dwell times to gather intelligence without detection.