Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Kaspersky reveals Kimsuky operation that is targeting South Korea

After months of investigation security researchers from Kaspersky have detected a new cyber espionage campaign dubbed Kimsuky that targeted South Korean organizations. Kaspersky experts have discovered a new cyber espionage campaign dubbed Kimsuky due the names “kim” used by hackers for drop box email accounts during in the attacks. “It’s interesting that the drop box […]

Kaspersky reveals Kimsuky operation that is targeting South Korea

After months of investigation security researchers from Kaspersky have detected a new cyber espionage campaign dubbed Kimsuky that targeted South Korean organizations.

Kaspersky experts have discovered a new cyber espionage campaign dubbed Kimsuky due the names “kim” used by hackers for drop box email accounts during in the attacks.

“It’s interesting that the drop box mail accounts iop110112@hotmail.com and rsh1213@hotmail.com are registered with the following “kim” names: kimsukyang and “Kim asdfa”.”

The Kimsuky cyber espionage campaign appears to be originated in North Korea and hit numerous organizations, eleven of which located in the South Korea and two in China, including the Korea Institute For Defense Analyses (KIDA), The Sejong Institute, the Hyundai Merchant Marine and the Ministry of Unification.

According security experts the cyber criminals are interesting to collect information on international affairs  from organizations that support groups for Korean unification and produce defense policies for government, national shipping company and universities.

The Kaspersky researchers revealed that the operation presents distinctive characteristics in its execution and logistics. The investigation started after the team of experts detected an unsophisticated spy program that communicated with it control server via a public e-mail server, an approach followed by too many amateur malware authors.

However, there were a few things that attracted our attention:

  • The public e-mail server in question was Bulgarian – mail.bg.
  • The compilation path string contained Korean hieroglyphs.

These two facts compelled us take a closer look at this malware — Korean compilers alongside Bulgarian e-mail command-and-control communications. The complete path found in the malware presents some Korean strings:

D:\rsh\공격\UAC_dll(완성)\Release\test.pdb

The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:

D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb

The attackers infected victims with a malware able to remote controls the PC, logging keystrokes, stealing HWP documents ans collecting directory listings. At system startup, the basic library disables the system firewall and any firewall produced by the South Korean security product vendor AhnLab.

The bot agents communicate with C&C through the Bulgarian web-based free email server (mail.bg), it  maintains a hard coded credentials for its e-mail account. After authenticating, the malware sends emails to another specified email address, and reads emails from the Inbox.  Malware authors have implemented these procedures via the “mail. bg” web-interface with the use of the system Wininet API functions.

The Kaspersky team revealed that the campaign isn’t extended and despite it is not clear the vector used for malware diffusion it is likely that hackers served it via spear phishing emails.

The IP addresses used by the cyber criminals are all in ranges of China’s Jilin Province Network and the Liaoning Province Network, but the ISPs covering these areas maintain lines in North Korea.

The Kimsuky Operation North_Korean Region

 

All the evidences collected led security researchers to suppose that the attackers behind Kimsuky operation are based in North Korea.

(Security Affairs – Kimsuky  Operation, cyber espionage, North Korea)