The AhnLab SEcurity intelligence Center (ASEC) has released a detailed analysis of a sophisticated cyber campaign dubbed “Larva-24005,” linked to the notorious North Korean hacking group Kimsuky.
This operation has been targeting critical sectors in South Korea, including software, energy, and financial industries since October 2023.
Targeted Industries and Global Attack Vectors
The Larva-24005 operation focuses heavily on South Korean entities but has expanded its reach to include systems in the United States, China, Japan, Germany, Singapore, and several other nations.
.png
)
The campaign leverages a range of advanced tools and techniques to infiltrate these systems, exploiting vulnerabilities such as the infamous RDP vulnerability known as BlueKeep (CVE-2019-0708).
According to the Report, initial access to compromised systems was achieved through the exploitation of the BlueKeep RDP vulnerability.
Forensic evidence indicates that while RDP vulnerability scanners were present, there was no confirmed utilization in the actual breaches.
Instead, the attackers used a mix of phishing emails and other exploit vectors to deliver their payload.
Phishing emails, sent to targets in South Korea and Japan, contained malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882), further enabling malware distribution.
Malware Ecosystem and System Proliferation
Once within the network, the threat actors employed droppers to install various malware suites:
- RDPWrap: Facilitates persistent remote access by modifying system settings.
- MySpy: Collects system information.
- KimaLogger and RandomQuery: Keyloggers that capture user inputs.
These tools, alongside other utilities like RDPScanner for CLI and GUI, showcase Kimsuky’s strategic use of loaders and infection mechanisms to ensure continuous access and data exfiltration.
The infrastructure analysis revealed that the attackers predominantly used kr domains for their Command and Control (C2) operations.
For instance, the URLs http[:]//star7[.]kro[.]kr/login/help/show[.]php?_Dom=991 and http[:]//www[.]sign[.]in[.]mogovernts[.]kro[.]kr/rebin/include[.]php?_sys=7 were part of their communication channels, highlighting a sophisticated setup to manage the rerouting of traffic and potentially evade initial detection.
This campaign underscores the ongoing threat posed by state-sponsored actors like Kimsuky, who continue to refine their tactics and exploit known vulnerabilities to gain unauthorized access, illustrating the importance of timely patching and robust cybersecurity practices to thwart such advanced persistent threats.
Indicators of Compromise (IOCs)
Here are some of the IOCs associated with this campaign:
| MD5 | URL/FQDN |
|---|---|
| 1177fecd07e3ad608c745c81225e4544 | http[:]//star7[.]kro[.]kr/login/help/show[.]php?_Dom=991 |
| 14caab369a364f4dd5f58a7bbca34da6 | http[:]//star7[.]kro[.]kr/login/img/show[.]php?uDt=177 |
| 184a4f3f00ca40d10790270a20019bb4 | http[:]//www[.]sign[.]in[.]mogovernts[.]kro[.]kr/rebin/include[.]php?_sys=7 |
| 30bcac6815ba2375bef3daf22ff28698 | access-apollo-page[.]r-e[.]kr |
| 46cd19c3dac997bfa1a90028a28b5045 | access-apollo-star7[.]kro[.]kr |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 has released a detailed analysis of a sophisticated cyber campaign dubbed "Larva-24005."){kind=link}