Threat Actors May Abuse Vs Code Extensions To Deploy Ransomware And...

North Korean threat actors are evolving their attack strategies by leveraging developer-focused tools as infection vectors.

Recent security discoveries reveal that Kimsuky, a nation-state group operating since 2012, has been utilizing JavaScript-based malware to infiltrate systems and establish persistent command and control infrastructure.

The threat group traditionally focuses on espionage operations against government entities, think tanks, and subject matter experts, but this latest campaign demonstrates their expanding technical capabilities and supply chain targeting sophistication.

The attack chain begins with a simple yet effective delivery mechanism: a JavaScript file named Themes.js that serves as the initial dropper.

Unlike heavily obfuscated malware, this sample employs straightforward code wrapped in a try-catch block, prioritizing functionality over stealth.

The file initiates contact with an adversary-controlled infrastructure hosted on medianewsonline[.]com, a domain infrastructure service that allows threat actors to create subdomains for malicious purposes.

This infrastructure choice reflects the attacker’s understanding of legitimate hosting services that security systems often whitelist or overlook.

Pulsedive security researchers noted the sophistication of the multi-stage attack architecture during their analysis of the infection chain.

The malware operates through a cascading payload delivery system, where each stage downloads and executes subsequent components.

The initial JavaScript file sends a GET request to iuh234[.]medianewsonline[.]com/dwnkl.php, transmitting the compromised machine’s hostname and a hardcoded authentication key.

Source: Cybersecurity News