RDP and MS Office Vulnerabilities Abused by Kimusky in Targeted Intrusions

The AhnLab SEcurity intelligence Center (ASEC) has released a detailed analysis of a sophisticated cyber campaign dubbed “Larva-24005,” linked to the notorious North Korean hacking group Kimsuky.

This operation has been targeting critical sectors in South Korea, including software, energy, and financial industries since October 2023.

Targeted Industries and Global Attack Vectors

The Larva-24005 operation focuses heavily on South Korean entities but has expanded its reach to include systems in the United States, China, Japan, Germany, Singapore, and several other nations.

The campaign leverages a range of advanced tools and techniques to infiltrate these systems, exploiting vulnerabilities such as the infamous RDP vulnerability known as BlueKeep (CVE-2019-0708).

According to the Report, initial access to compromised systems was achieved through the exploitation of the BlueKeep RDP vulnerability.

Forensic evidence indicates that while RDP vulnerability scanners were present, there was no confirmed utilization in the actual breaches.

Instead, the attackers used a mix of phishing emails and other exploit vectors to deliver their payload.

Phishing emails, sent to targets in South Korea and Japan, contained malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882), further enabling malware distribution.

Malware Ecosystem and System Proliferation

Once within the network, the threat actors employed droppers to install various malware suites:

• RDPWrap: Facilitates persistent remote access by modifying system settings.
• MySpy: Collects system information.
• KimaLogger and RandomQuery: Keyloggers that capture user inputs.

These tools, alongside other utilities like RDPScanner for CLI and GUI, showcase Kimsuky’s strategic use of loaders and infection mechanisms to ensure continuous access and data exfiltration.

The infrastructure analysis revealed that the attackers predominantly used kr domains for their Command and Control (C2) operations.

For instance, the URLs http[:]//star7[.]kro[.]kr/login/help/show[.]php?_Dom=991 and http[:]//www[.]sign[.]in[.]mogovernts[.]kro[.]kr/rebin/include[.]php?_sys=7 were part of their communication channels, highlighting a sophisticated setup to manage the rerouting of traffic and potentially evade initial detection.

This campaign underscores the ongoing threat posed by state-sponsored actors like Kimsuky, who continue to refine their tactics and exploit known vulnerabilities to gain unauthorized access, illustrating the importance of timely patching and robust cybersecurity practices to thwart such advanced persistent threats.

Indicators of Compromise (IOCs)

Here are some of the IOCs associated with this campaign:

MD5	URL/FQDN
1177fecd07e3ad608c745c81225e4544	http[:]//star7[.]kro[.]kr/login/help/show[.]php?_Dom=991
14caab369a364f4dd5f58a7bbca34da6	http[:]//star7[.]kro[.]kr/login/img/show[.]php?uDt=177
184a4f3f00ca40d10790270a20019bb4	http[:]//www[.]sign[.]in[.]mogovernts[.]kro[.]kr/rebin/include[.]php?_sys=7
30bcac6815ba2375bef3daf22ff28698	access-apollo-page[.]r-e[.]kr
46cd19c3dac997bfa1a90028a28b5045	access-apollo-star7[.]kro[.]kr

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!