Security News > 2024 > March > It's 2024 and North Korea's Kimsuky gang is exploiting Windows Help files

North Korea's notorious Kimsuky cyber crime gang has commenced a campaign using fresh tactics, according to infosec tools vendor Rapid7.

Rapid7 isn't sure how the gang distributes its latest attack, but is confident the payload includes poisoned Microsoft Compiled HTML Help files along with ISO, VHD, ZIP and RAR files.

Rapid7's researchers cracked open one of the CHM files they believe is the work of Kimsuky and found "An example of using HTML and ActiveX to execute arbitrary commands on a Windows machine, typically for malicious purposes."

Seoul accuses North Korea of stealing southern chipmakers' designs Cred-stealing trojan harvests logins from Chromium browsers, Outlook and more, warns Cisco Talos North Korea running malware-laden gambling websites as-a-service OpenAI shuts down China, Russia, Iran, N Korea accounts caught doing naughty things.

Rapid7 chief scientist Raj Samani told The Register his team has moderate confidence this technique is the work of Kimsuky, and that the target of the campaign is South Korea - an assertion supported by many filenames in Korean found in the payload. Samani believes that Kimsuky may be spreading beyond its usual hunting grounds of Asia.

Samani is uncertain if Kimsuky has a particular target for its latest campaign, but suggested Rapid7 will be in a position to offer a more detailed assessment in around April.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/21/kimsuky_chm_file_campaign/