Kimsuky’s Campaigns Leverage CHM Files for Enhanced Espionage

A cyberespionage campaign attributed to Kimsuky (aka Black Banshee, Emerald Sleet, Springtail, THALLIUM, Velvet Chollima), a North Korean state-sponsored threat group, has been unveiled, utilizing updated attack techniques involving CHM files, as reported by researchers from Rapid7 Labs. Aligned with past Kimsuky operations, this campaign focuses on intelligence collection with evasive techniques in mind focusing on container files to conceal their payloads and relying heavily on living-off-the-land binaries (LOLBins). Historically, Kimsuky is identified to have targeted South Korean government entities, individuals involved in the Korean peninsula's unification process, and global experts in areas of interest to the regime. Given the titles of the lure documents, the campaign seems targeted towards entities involved in defense, nuclear affairs, and research.

The focal point of Rapid7's analysis highlighted Kimsuky's current use of CHM files, a Microsoft-compiled HTML help file format, embedded within container files like ISO, VHD, ZIP, or RAR to bypass initial security measures. Once the CHM file is executed, it triggers a chain of malicious activities facilitated by various tools and processes. Initially, the CHM file contains a VBScript that, through the use of certutil - a legitimate Windows tool, decodes and executes a malicious script establishing persistence on the victim's machine via registry modifications and scheduled tasks.

Diving deeper, two distinct attack scenarios were dissected. The first involves directly executing a VBScript from a CHM file, leading to data exfiltration to a command-and-control (C2) server. The script gathers system information, running processes, and specific file lists before encoding and transmitting this data to the attacker's server. The second scenario, identified in a new wave of attacks, deploys .bat and VBS scripts to perform similar intelligence-gathering tasks, albeit with variations in the data targeted and the C2 server used.

These methods not only demonstrate Kimsuky's persistence but also their adaptability in exploiting systems for espionage. An assessment made by Rapid7 identified the operators’ "modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims." This perspective is further reinforced by insights from Raj Samani, Rapid7's chief scientist, who, in a discussion with The Register, indicated that Kimsuky might be expanding its activities beyond Asia. This expansion reflects a broadening geographical focus and a high level of technical skill, as evidenced by Rapid7's findings on the group's advanced tactics.