CyberSecurity news
FlagThis - #rdp
|
Pierluigi Paganini@Security Affairs
//
The North Korean hacking group Kimsuky has been identified as the perpetrator of a new cyber espionage campaign, dubbed "Larva-24005," that exploits a patched Microsoft Remote Desktop Services flaw, commonly known as BlueKeep (CVE-2019-0708), to gain initial access to systems. According to a report from the AhnLab Security intelligence Center (ASEC), Kimsuky targeted organizations in South Korea and Japan, primarily in the software, energy, and financial sectors, beginning in October 2023. The campaign also extended to other countries, including the United States, China, Germany, and Singapore, indicating a broader global reach.
The attackers used a combination of techniques to infiltrate systems. While RDP vulnerability scanners were found on compromised systems, the report indicates that the actual breaches were not always initiated through the use of these scanners. Instead, Kimsuky leveraged phishing emails containing malicious attachments that exploited the Microsoft Office Equation Editor vulnerability (CVE-2017-11882) to distribute malware. Once inside, the attackers installed a dropper to deploy various malware suites, including MySpy, designed to collect system information, and RDPWrap, a tool that facilitates persistent remote access by modifying system settings. To further their surveillance capabilities, Kimsuky deployed keyloggers such as KimaLogger and RandomQuery to capture user keystrokes. The group predominantly used ".kr" domains for their Command and Control (C2) operations, employing sophisticated setups to manage traffic routing and potentially evade detection. ASEC's analysis of the attackers' infrastructure revealed a global footprint, with victims identified in countries across Asia, Europe, and North America. The use of both RDP exploits and phishing suggests a versatile approach to compromising target systems, highlighting the importance of both patching vulnerabilities and educating users about phishing tactics.
Share:
References :
Classification:
@www.bleepingcomputer.com
//
The North Korean hacking group Kimsuky has been observed using a custom-built RDP Wrapper and proxy tools in recent cyber espionage campaigns. According to reports from the AhnLab Security Intelligence Center (ASEC), these tools enable the group to directly access infected machines and maintain persistent access, representing a shift in tactics from relying solely on noisy backdoors like PebbleDash. The group also utilizes the forceCopy stealer malware.
Kimsuky's attack strategy typically begins with spear-phishing emails containing malicious shortcut (.LNK) files disguised as legitimate documents. When opened, these files execute PowerShell or Mshta scripts to download malware, including the custom RDP Wrapper. This wrapper is designed to bypass security measures by modifying export functions, making it difficult for security tools to detect. The group also uses keyloggers to capture user keystrokes and proxy malware to bypass network restrictions, facilitating remote access to compromised systems even within private networks.
Share:
References :
Classification:
@www.bleepingcomputer.com
//
The North Korean hacking group Kimsuky has been observed in recent attacks employing a custom-built RDP Wrapper and proxy tools to directly access infected machines. A new report by AhnLab's ASEC team details additional malware used by Kimsuky in these attacks, highlighting the group's intensified use of modified tools for unauthorized system access. This cyber espionage campaign begins with spear-phishing tactics, distributing malicious shortcut files disguised as legitimate documents to initiate the infection chain.
These files, often disguised as PDFs or Office documents, execute commands via PowerShell or Mshta to download malware such as PebbleDash and the custom RDP Wrapper, enabling remote control of compromised systems. Kimsuky's custom RDP Wrapper, a modified version of an open-source utility, includes export functions designed to evade detection by security software, facilitating stealthy remote access. In environments where direct RDP access is restricted, Kimsuky deploys proxy malware to bypass network barriers, maintaining persistent access and employing keyloggers and information-stealing malware to exfiltrate sensitive data.
Share:
References :
Classification:
|