North Korean state-sponsored hacking operation Kimsuky, also known as Velvet Chollima and Thallium, has launched a global cyberespionage campaign with the updated reconnaissance malware dubbed "ReconShark," BleepingComputer reports.
Spear-phishing emails with a link to a malicious document on Microsoft OneDrive have been used by Kimsuky to facilitate infections with ReconShark, which is an evolved version of the BabyShark malware previously used by Kimsuky, according to a Sentinel Labs report. Windows Management Instrumentation is exploited by ReconShark to facilitate the collection of system information, as well as the checking of running security software on the targeted machine before proceeding with direct data exfiltration.
"The ability of ReconShark to exfiltrate valuable information, such as deployed detection mechanisms and hardware information, indicates that ReconShark is part of a Kimsuky-orchestrated reconnaissance operation that enables subsequent precision attacks, possibly involving malware specifically tailored to evade defenses and exploit platform weaknesses," said the report, which also noted ReconShark's ability to retrieve additional payloads.
TechCrunch reports that U.S. conservative think tank The Heritage Foundation was working on addressing a cyberattack against its systems last week, but investigation into whether any of its data was compromised is still underway.
Nexperia had some of its servers confirmed to be compromised in a cyberattack last month following a report from Dutch broadcast firm RTL detailing attackers' claims of having exfiltrated hundreds of gigabytes of data from the Chinese-owned Dutch semiconductor manufacturer, according to Cybernews.
Iranian state-backed threat operation MuddyWater, also known as TA450, Mango Sandstorm, and Boggy Sandstorm, has leveraged the novel DarkBeatC2 command-and-control infrastructure tool as part of its latest attack campaign, The Hacker News reports.