CyberSecurity news
FlagThis - #kimsuky
|
Pierluigi Paganini@Security Affairs
//
The North Korean hacking group Kimsuky has been identified as the perpetrator of a new cyber espionage campaign, dubbed "Larva-24005," that exploits a patched Microsoft Remote Desktop Services flaw, commonly known as BlueKeep (CVE-2019-0708), to gain initial access to systems. According to a report from the AhnLab Security intelligence Center (ASEC), Kimsuky targeted organizations in South Korea and Japan, primarily in the software, energy, and financial sectors, beginning in October 2023. The campaign also extended to other countries, including the United States, China, Germany, and Singapore, indicating a broader global reach.
The attackers used a combination of techniques to infiltrate systems. While RDP vulnerability scanners were found on compromised systems, the report indicates that the actual breaches were not always initiated through the use of these scanners. Instead, Kimsuky leveraged phishing emails containing malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to distribute malware. Once inside, the attackers installed a dropper to deploy various malware suites, including MySpy, designed to collect system information, and RDPWrap, a tool that facilitates persistent remote access by modifying system settings. To further their surveillance capabilities, Kimsuky deployed keyloggers such as KimaLogger and RandomQuery to capture user keystrokes. The group predominantly used ".kr" domains for their Command and Control (C2) operations, employing sophisticated setups to manage traffic routing and potentially evade detection. ASEC's analysis of the attackers' infrastructure revealed a global footprint, with victims identified in countries across Asia, Europe, and North America. The use of both RDP exploits and phishing suggests a versatile approach to compromising target systems, highlighting the importance of both patching vulnerabilities and educating users about phishing tactics.
Share:
References :
Classification:
@gbhackers.com
//
North Korean state-backed threat group Kimsuky, also known as APT43, is actively targeting South Korean entities through a sophisticated cyber campaign, dubbed DEEP#DRIVE. This ongoing operation, potentially active since September, involves attacks leveraging PowerShell and Dropbox against South Korean government, business, and cryptocurrency firms. The attackers initiate intrusions with phishing emails containing a ZIP archive with an LNK file, disguised as legitimate documents, to trick recipients into triggering the infection process.
The attack chain relies heavily on PowerShell scripts for various stages, including payload delivery, reconnaissance, and execution, as well as using Dropbox for payload distribution and data exfiltration. Upon execution, the LNK file initiates a PowerShell script that retrieves a lure document hosted on Dropbox. It also retrieves another PowerShell script for system data exfiltration and installs a third script to execute an unknown .NET assembly. This cloud-based infrastructure enables stealthy payload hosting and retrieval, complicating detection efforts.
Share:
References :
Classification:
@talkback.sh
//
Kimsuky, a North Korean advanced persistent threat operation also known as APT43, is actively targeting South Korean entities within the business, government, and cryptocurrency sectors. The hacking group employs a sophisticated attack campaign, named DEEP#DRIVE, that starts with spear-phishing emails designed to establish trust by spoofing a South Korean government official. These emails contain malicious PDF documents and links redirecting victims to websites hosting PowerShell code, ultimately leading to code execution on the targeted systems.
This campaign leverages tailored phishing lures written in Korean and disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files. The attack chain heavily relies on PowerShell scripts for payload delivery, reconnaissance, and execution. Dropbox is utilized for payload distribution and data exfiltration, using OAuth token-based authentication for Dropbox API interactions, which allows for seamless exfiltration of data while bypassing traditional IP or domain blocklists. This makes the threat actors difficult to detect.
Share:
References :
Classification:
|