Reconshark

Malware updated 2 months ago (2024-11-29T13:32:22.772Z)

Download STIX

Preview STIX

ReconShark is a new malware variant deployed by the North Korea-linked Advanced Persistent Threat (APT) group, Kimsuky. This tool has been observed in an ongoing campaign, used as an infostealer-downloader and is a new iteration of the group's custom BabyShark malware family. The ReconShark tool is delivered through command-and-control sites such as staradvertiser[.]store, which are known to be controlled by Kimsuky. The group typically engages targets in conversation, delivering a spoofed URL to a Google document that redirects to a malicious website designed to capture Google credentials, or a weaponized Office document that executes the ReconShark reconnaissance malware. Kimsuky has also been exploiting recently disclosed ScreenConnect vulnerabilities to deploy ToddlerShark, another new variant of malware overlapping with ReconShark and BabyShark. These tools have been used in various espionage campaigns against government organizations, research centers, think tanks, and universities across North America, Europe, and Asia. Kroll's analysts believe ToddleShark is a new version of Kimsuky's BabyShark and ReconShark backdoors, previously seen targeting similar organizations in the United States, Europe, and Asia. For certain targets who engage with the attackers, Kimsuky sends weaponized password-protected Word documents that deploy a reconnaissance malware payload called ReconShark. This program probes systems for the presence of known security software and collects information about the target's computer, planning for a future attack. The archive was used to deploy the ReconShark reconnaissance tool, marking the first time this malware, identified as a reconnaissance instrument, has been distributed by the attackers.

Description last updated: 2024-05-17T09:15:35.837Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
BabyShark is a possible alias for Reconshark. BabyShark is a malicious software (malware) that has been linked to the North Korean Advanced Persistent Threat (APT) group known as Kimsuky, also referred to as Thallium and Velvet Chollima. This malware, written in Microsoft Visual Basic script, was first identified in November 2018 and was used p	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Reconnaissance

Phishing

State Sponso...

Korean

Screenconnect

Exploit

Sentinelone

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Kimsuky Threat Actor is associated with Reconshark. Kimsuky is a threat actor group linked to North Korea, known for its malicious cyber activities with a particular focus on espionage. The group has been observed employing a variety of sophisticated tactics and techniques, including the use of malware such as TOGREASE, GREASE, and RandomQuery, which	Unspecified	5

Source Document References

Information about the Reconshark Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	9 months ago	North Korea-linked Kimsuky APT attack targets victims via Messenger
CERT-EU	a year ago	12 Months of Fighting Cybercrime & Defending Enterprises \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	a year ago	North Korea’s Kimsuky gang joins rush to exploit new ScreenConnect bugs
DARKReading	a year ago	North Korea Hits ScreenConnect Bugs to Drop 'ToddleShark' Malware
CERT-EU	a year ago	ScreenConnect flaws exploited to drop new ToddleShark malware
CERT-EU	2 years ago	Nordkorea-Malware-Gruppe Kimsuky greift NGOs an \| ZDNet.de
CERT-EU	2 years ago	El nuevo ataque de ingeniería social de Kimsuky puede usarse para hackear a cualquiera
CERT-EU	2 years ago	North Korean APT group targets email credentials in social engineering campaign
CERT-EU	2 years ago	New Kimsuky social engineering attack can be used to hack anyone
Securityaffairs	2 years ago	Experts detail a new Kimsuky social engineering campaign
CERT-EU	2 years ago	Target of North Korean APT attack spills details of recent Kimsuky campaign
CERT-EU	2 years ago	Kimsuky Strikes Again: New Campaign Targets Credentials and Intelligence
Flashpoint	2 years ago	No title
CERT-EU	2 years ago	Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks
CERT-EU	2 years ago	North Korean-linked APT groups focus on financial gain, intelligence gathering
InfoSecurity-magazine	2 years ago	North Korean APT Group Kimsuky Expands Social Engineering Tactics
CERT-EU	2 years ago	North Korean Hackers Mimic Journalists To Steal Credentials From Organizations
CERT-EU	2 years ago	ReconShark – Kimsuky’s Newest Recon Tool
CERT-EU	2 years ago	N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks
Securityaffairs	2 years ago	North Korea-linked Kimsuky APT uses new recon tool ReconShark