Information-stealing malware has been deployed by North Korean state-backed hacking group Kimsuky in ongoing attacks against South Korean organizations exploiting Compiled HTML Help files, reports The Hacker News.
Intrusions involved the distribution of ISO, RAR, ZIP, or VHD files, which when opened enables VBScript execution and eventual payload retrieval, a report from Rapid7 showed. Such a new malware delivery technique represents yet another expansion of the attack arsenal of Kimsuky, which previously leveraged malicious Windows shortcut files, ISO files, and Microsoft Office documents to facilitate malware infections, according to researchers.
"The modus operandi and reusing of code and tools are showing that the threat actor is actively using and refining/reshaping its techniques and tactics to gather intelligence from victims," the report said.
The findings follow a Symantec report detailing Kimsuky attacks involving the use of a spoofed app to deliver the Endoor backdoor, which allows sensitive data exfiltration and further malware payload delivery.