CyberSecurity news
FlagThis - #kimsuky
|
@securityonline.info
//
North Korea-linked APT group Kimsuky, also known as Monolithic Werewolf, has resurfaced with an evolved version of its AppleSeed campaign, targeting Korean users via social media. The Genians Security Center (GSC) detected this activity, noting that it spanned from March to April 2025. The attackers leveraged multiple communication channels, including Facebook, email, and Telegram, to distribute malicious files, demonstrating a multi-platform infiltration model. This campaign specifically targeted individuals involved in North Korean defector support, using coordinated social engineering efforts to gain trust.
The attackers employed various techniques to bypass security measures and achieve persistence. They used two Facebook accounts to initiate conversations, posing as missionaries or church researchers to build rapport with their targets. Once trust was established, they sent password-protected EGG-format archives containing a malicious JScript file, designed to evade mobile-based scanning and force execution on Windows PCs. The malicious JScript file then triggered a chain of file drops and stealthy installations, including decoding Base64-encoded DLLs using PowerShell and Certutil, and achieving persistence by adding a Run registry entry. The AppleSeed malware functions as a remote access trojan (RAT), capable of collecting sensitive system information, encrypting it, and sending it back to the attackers. The final-stage payload collects host information, checks for admin privileges and UAC settings, then compresses and encrypts the data. The campaign reveals the group's adaptive tactics, utilizing Facebook for initial contact and lure delivery, email for follow-up spear phishing with EGG archives, and Telegram for targets whose phone numbers were obtained. Security analysts are recommending proactive threat hunting and triage strategies to defend against this evolving threat.
Share:
References :
Classification:
Pierluigi Paganini@Security Affairs
//
The North Korean hacking group Kimsuky has been identified as the perpetrator of a new cyber espionage campaign, dubbed "Larva-24005," that exploits a patched Microsoft Remote Desktop Services flaw, commonly known as BlueKeep (CVE-2019-0708), to gain initial access to systems. According to a report from the AhnLab Security intelligence Center (ASEC), Kimsuky targeted organizations in South Korea and Japan, primarily in the software, energy, and financial sectors, beginning in October 2023. The campaign also extended to other countries, including the United States, China, Germany, and Singapore, indicating a broader global reach.
The attackers used a combination of techniques to infiltrate systems. While RDP vulnerability scanners were found on compromised systems, the report indicates that the actual breaches were not always initiated through the use of these scanners. Instead, Kimsuky leveraged phishing emails containing malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to distribute malware. Once inside, the attackers installed a dropper to deploy various malware suites, including MySpy, designed to collect system information, and RDPWrap, a tool that facilitates persistent remote access by modifying system settings. To further their surveillance capabilities, Kimsuky deployed keyloggers such as KimaLogger and RandomQuery to capture user keystrokes. The group predominantly used ".kr" domains for their Command and Control (C2) operations, employing sophisticated setups to manage traffic routing and potentially evade detection. ASEC's analysis of the attackers' infrastructure revealed a global footprint, with victims identified in countries across Asia, Europe, and North America. The use of both RDP exploits and phishing suggests a versatile approach to compromising target systems, highlighting the importance of both patching vulnerabilities and educating users about phishing tactics.
Share:
References :
Classification: |