JPCERT is warning Japanese organizations to look out for North Korean hackers

Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed that a North Korean hacking group called Kimsuky is targeting Japanese organizations.

In an attack that was identified by JPCERT, the threat actor pretended to be a security and diplomatic organization. The attacker sent an email with an attachment containing a malicious zip file with double file extensions.

To hide the true file extension, each file name encompassed a large number of spaces. As soon as the victim executed the .exe file, a malignant payload was downloaded from a command and control server that was controlled by the attacker.

A VBS file was then executed, which downloads a PowerShell script to collect confidential information, including process lists, network details, file lists from the Downloads, Documents and Desktop folders, and user account information.

The PowerShell also functioned as a keylogger, collecting usernames, passwords and clipboard information. This data was sent to a remote URL that was controlled by the attacker.

Kimsuky used the collected information to determine if an infected device was a legitimate user machine or an analysis environment, such as a sandbox. The credentials are then utilized to gain access to other parts of the victim’s network.

Kimsuky is predominantly active in South Korea, but JPCERT points out there’s a possibility that Japanese organizations are also being actively targeted.

“The most recent report says that malware in CHM format is used to execute the keylogger, and we need to pay attention to similar attacks in the future,” the Japanese Computer Emergency Response Team says.