North Korean Hackers use Nuclear Threat to Trick Victims

This post is also available in: עברית (Hebrew)

North Korea’s nuclear threats are reportedly being used and exploited by North Korean hackers as a “lure” to make victims open malicious files and attack them.

North Korean cyber espionage group Kimsuky (also known as Black Banshee or Thallium) is focused on targeting South Korean government entities, think tanks, and individuals. The group also attacked countries like the US, Russia, and Europe to collect intelligence on foreign policy, national security issues related to the Korean peninsula, nuclear policy, and sanctions.

Rapid7 Labs researchers found that the group is using new tactics to target victims – after previously using weaponized Office documents, ISO files, and abusing shortcut (LNK) files, they recently began using nuclear topics as a lure to entice targeted individuals into opening new types of files.

According to Cybernews, this tactic includes filenames like “North Korean nuclear crisis escalation model and determinants of nuclear use”, “North Korea’s nuclear strategy revealed in ‘Legalization of Nuclear Forces’”, or “Factors and types of North Korea’s use of nuclear weapons.” These files were found as part of a larger Compiled HTML Help (CHM) file that can be delivered in multiple ways to bypass the first line of defense.

CHM is a Microsoft proprietary online help format that consists of a collection of HTML pages, an index, and other navigation tools. The files are compressed and deployed in a binary format with the extension and are often used for software documentation. Turns out hackers discovered the format can be used to deliver and execute malicious payloads.

This method enables the malicious actor to collect basic system information like computer names, OS details, and hardware, as well as running processes, recent Word files, and lists of directories.

Researchers used telemetry to identify targeted attacks against entities based in South Korea.