Full Report
Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to gain initial access. The activity has been named Larva-24005 by the AhnLab Security Intelligence Center (ASEC). "In some systems, initial access was gained through
Analysis Summary
# Threat Actor: Kimsuky
## Attribution & Identity
State-sponsored threat actor originating from North Korea.
Known aliases: Not explicitly mentioned in the summary, but the context implies known association with North Korean state-sponsorship.
## Activity Summary
The reported activity is part of a malicious campaign dubbed **Larva-24005** by ASEC. This campaign targets initial access primarily through exploiting the BlueKeep RDP vulnerability (CVE-2019-0708) or by using phishing emails that deliver files exploiting the Equation Editor vulnerability (CVE-2017-11882). The campaign has been active since at least October 2023, focusing on victims in South Korea and Japan.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of the RDP vulnerability **BlueKeep (CVE-2019-0708)**.
- **Initial Access:** Phishing emails embedding files exploiting **Equation Editor vulnerability (CVE-2017-11882)**.
- **Execution/Persistence:** Leveraging a dropper to install custom malware and tools.
- **Defense Evasion/Configuration Change:** Modifying system settings to allow Remote Desktop Protocol (RDP) access (likely via RDPWrap).
- **Collection:** Deploying keyloggers to capture keystrokes.
- **Discovery:** A RDP vulnerability scanner was observed on a compromised system, though its use is unconfirmed.
## Targeting
- Sectors: Software, Energy, Financial sectors (specifically in South Korea).
- Geography: Primary targets identified in South Korea and Japan. Other mentioned targeted countries include the United States, China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand, and Poland.
- Victims: Specific organizations are not named, only general sectors targeted.
## Tools & Infrastructure
- **Malware families used:**
- MySpy (used for initial system information collection).
- KimaLogger (Keylogger).
- RandomQuery (Keylogger/Information Stealer).
- **Infrastructure (C2, domains, IPs - defang URLs):** No specific C2 infrastructure, domains, or IPs were listed in the provided text snippet.
## Implications
Kimsuky continues to leverage severe, often publicly disclosed (but sometimes unpatched) critical vulnerabilities like BlueKeep for initial access, indicating that organizations have failed to apply patches from as far back as 2019. The deployment of keyloggers suggests focused espionage or data theft objectives against targeted sectors.
## Mitigations
- Apply patches for critical vulnerabilities, especially older, wormable RDP flaws like **CVE-2019-0708 (BlueKeep)**.
- Implement strong email filtering and user awareness training to counter phishing attempts, particularly those exploiting document vulnerabilities like **CVE-2017-11882 (Equation Editor)**.
- Monitor systems for the installation and execution of persistence/espionage tools like **MySpy** and keyloggers such as **KimaLogger** and **RandomQuery**.
- Investigate unauthorized modifications to RDP settings or the presence of tools designed to bypass RDP restrictions (e.g., RDPWrap).