Full Report
1) Introduction During the breach investigation process, the AhnLab SEcurity intelligence Center (ASEC) discovered a new operation related to the Kimsuky group and named it Larva-24005.1 The threat actors exploited the RDP vulnerability to infiltrate the system. They then changed the system configuration by installing the MySpy malware and RDPWrap to create […]
Analysis Summary
# Threat Actor: Larva-24005
## Attribution & Identity
* **Primary Association:** Related to the **Kimsuky** threat actor group.
* **Investigator:** Discovered by the AhnLab Security intelligence Center (ASEC).
* **Naming:** Referred to as Larva-24005 operations by ASEC.
## Activity Summary
Larva-24005 is a relatively new operation linked to Kimsuky, discovered during a breach investigation. The operation involves exploiting RDP vulnerabilities for initial access, followed by establishing persistent remote access and deploying keylogging capabilities. Historical analysis indicates connections to previous Kimsuky activity, such as the exploitation of the BlueKeep vulnerability to leak information from Korean systems. Phishing campaigns targeting entities in South Korea and Japan have been ongoing.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting the **BlueKeep vulnerability (CVE-2019-0708)** in RDP. Also used spear phishing emails and exploited the **Microsoft Office Equation Editor vulnerability (CVE-2017-11882)**.
* **Execution/Persistence:** Used a dropper to install **MySpy** malware and **RDPWrap**. Modified system settings to ensure continuous RDP access. Found to store RDP scanning tools (RDPScanner CLI/GUI variants).
* **Collection:** Infected systems with **KimaLogger** or **RandomQuery** keyloggers to record user keyboard inputs.
* **Defense Evasion/System Configuration:** Utilized **RDPWrap** and **RDPEnabler** to change RDP-related settings.
**MITRE ATT&CK IDs Mentioned:** T1003, T1021.001, T1039, T1056.001, T1059.003, T1070.001, T1070.006, T1070.007, T1133, T1136.001, T1190, T1204, T1546.008, T1560.001, T1564.002, T1567.002, T1569.002, T1583.004, T1588.006, T1595.002, T1596.005.
## Targeting
* **Sectors:** Software, Energy, and Financial industries.
* **Geography:** Primary focus on **South Korea**. Attacks confirmed in **South Korea, the United States, China, Japan, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand, and Poland**.
* **Victims:** Specific mention of South Korean software companies, energy sector entities, and financial institutions.
## Tools & Infrastructure
* **Malware Families Used:**
* MySpy (Remote Control)
* KimaLogger (Keylogger)
* RandomQuery (Keylogger)
* RDPWrap (Remote Control/Enabler)
* Downloader/Dropper components (DroppeR, RDPLoader)
* RDPScanner (CLI and GUI types for vulnerability scanning)
* RDPEnabler
* **Infrastructure:**
* **Domains:** `r-e[.]kr`, `kro[.]kr` (Confirmed use of Korean servers as main C2).
* **FQDNs/URLs:** `access-apollo-page[.]r-e[.]kr`, `access-apollo-star7[.]kro[.]kr`, `access-mogovernts[.]kro[.]kr`, `apollo-page[.]r-e[.]kr`, `apollo-star7[.]kro[.]kr`.
* **Malicious URLs (Defanged):**
* http[:]//star7[.]kro[.]kr/login/help/show[.]php?_Dom=991
* http[:]//star7[.]kro[.]kr/login/img/show[.]php?uDt=177
* http[:]//www[.]sign[.]in[.]mogovernts[.]kro[.]kr/rebin/include[.]php?_sys=7
## Implications
This operation demonstrates the persistent threat posed by the Kimsuky group, utilizing mature techniques combined with exploitation of known, ancient vulnerabilities (BlueKeep, CVE-2019-0708) for initial access. The focus on critical infrastructure (Energy, Finance) in South Korea, along with the deployment of RDP persistence tools and comprehensive keylogging, suggests intelligence gathering and deep system compromise are primary goals. The continued reliance on East Asian infrastructure for C2 indicates a sustained regional operational focus.
## Mitigations
* Immediately patch or mitigate all systems against the **BlueKeep vulnerability (CVE-2019-0708)**, especially RDP services.
* Implement strict firewall rules to limit RDP access only to necessary source IPs, regardless of known vulnerability status.
* Enhance endpoint detection and response (EDR) capabilities to monitor for the installation and execution of remote access tools like RDPWrap and custom keyloggers (KimaLogger/RandomQuery).
* Review system configurations for unauthorized changes to RDP settings (e.g., ensuring RDPEnabler or similar tools have not modified local policies).
* Increase scrutiny on emails originating internally or externally, looking for attachments related to scanning tools or Office documents that might exploit CVE-2017-11882.