Security News > 2020 > October > North Korea-Backed Spy Group Poses as Reporters in Spearphishing Attacks, Feds Warn

The North Korean advanced persistent threat group known as Kimsuky is actively attacking commercial-sector businesses, often by posing as South Korean reporters, according to an alert from the U.S. Cybersecurity and Infrastructure Security Agency.

Kimsuky has been operating as a cyberespionage group since 2012 under the auspices of the regime in Pyongyang.

"Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport," according to CISA. "The emails contained the subject line, 'Skype Interview requests of in Seoul,' and began with a request to have the recipient appear as a guest on the show. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula."

"Kimsuky likely obtained the credentials from the victims via spearphishing and credential-harvesting scripts," according to the CISA alert.

"Kimsuky uses ProcDump, a Windows command line administration tool, also available for Linux, that allows a user to create crash dumps/core dumps of processes based upon certain criteria, such as high central processing unit utilization. ProcDump monitors for CPU spikes and generates a crash dump when a value is met; it passes information to a Word document saved on the computer. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky's inclusion of ProcDump in the BabyShark malware."

News URL

https://threatpost.com/north-korea-spy-reporters-feds-warn/160622/