Full Report
AhnLab SEcurity intelligence Center (ASEC) has identified the behavior of Larva-24005 breaching servers in Korea and then establishing a web server, database, and PHP environment for sending phishing emails. Larva-24005 is using the attack base to target not only South Korea but also Japan. The main targets are those who are involved in North […]
Analysis Summary
# Threat Actor: Larva-24005
## Attribution & Identity
Larva-24005 is identified as a **sub-group of the Kimsuky threat group**, which is known to receive support from North Korea. The threat actor naming follows AhnLab’s naming system.
## Activity Summary
Larva-24005 is actively breaching servers in Korea to establish an attack infrastructure primarily for sending sophisticated phishing emails. The group targets entities involved with North Korea and university professors researching the North Korean regime in both **South Korea and Japan**. The actor breaches systems, installs necessary components (web server, database, PHP environment), and then executes spear-phishing campaigns using URLs disguised as ZOOM meeting links or legitimate web portal logins. They conduct reconnaissance by searching keywords on Google and utilizing compromised email inboxes to identify further targets.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting the **BlueKeep vulnerability (CVE-2019-0708)** on older Windows systems (< Windows 2008 R2) to gain Remote Desktop Protocol (RDP) access. They may also use brute force or previously obtained credentials.
- **Persistence/Internal Reconnaissance:** Installing **RDPWrap** to activate RDP connections and deploying a **group-developed keylogger**.
- **Infrastructure Setup:** Installing **XAMPP** (Apache, MariaDB, PHP, Perl) to run a web server environment for C2 management.
- **Phishing Implementation:** Installing **PHPMailer** for sending phishing emails.
- **Credential Theft:** Setting up personalized phishing pages disguised as legitimate services (iCloud, OneDrive, Outlook, Naver, Google, Microsoft login) to steal credentials.
- **Language Customization:** Installing a **Japanese Input Method Editor (IME)**, suggesting targeted effort for the Japanese victim base.
- **Lateral Movement/Data Exfiltration:** Using compromised credentials to access web portals and email platforms (e.g., Outlook) to search for additional targets and information.
## Targeting
- **Sectors:** Academia (university professors researching the North Korean regime), Non-Profit Organizations.
- **Geography:** South Korea and Japan.
- **Victims:** University professors, organizations involved in relations or research concerning North Korea.
## Tools & Infrastructure
- **Malware families used:** Group-developed keylogger.
- **Software/Utilities:** XAMPP, PHPMailer, RDPWrap, Japanese Input Method Editor (IME).
- **Infrastructure (C2, domains, IPs):**
- C2 server established using XAMPP environment.
- Used compromised Kakao and Daum email accounts for sending phishing emails (e.g., `[email protected]`, `[email protected]`).
- Utilized compromised Japanese Biglobe email account (e.g., `f*****[email protected]`).
- Used subdomains related to legitimate entities to mask C2, such as one leveraging the domain `polypheou[.]jp`.
- **Defanged URLs/Domains:**
- http://auth[.]portal[.]pikara[.]ne[.]polypheou[.]jp/
- http://download[.]mail[.]naver[.]corn-file[.]kro[.]kr/
- http://t[.]infomail[.]microsofit[.]com[.]polypheou[.]jp/
- http://us06web[.]zoom[.]us[.]meet[.]polypheou[.]jp/
- http://www3[.]icloud[.]vbox[.]l[.]up[.]tcmp[.]polypheou[.]jp/
## Implications
Larva-24005/Kimsuky remains a persistent and sophisticated threat actively focused on espionage related to North Korea. Their deployment of spear-phishing, targeting highly specific academic and politically sensitive targets, combined with technical exploitation of older RDP vulnerabilities (BlueKeep), poses a significant risk to targeted organizations, particularly those running unpatched legacy systems. The use of personalized phishing lures and compromised domains indicates a high degree of planning.
## Mitigations
- **Patch Management:** Immediately apply patches or utilize workarounds for the **BlueKeep vulnerability (CVE-2019-0708)**, especially on older operating systems (pre-Windows 2008 R2).
- **RDP Hardening:** Restrict RDP access via network segmentation and enforce strong multi-factor authentication (MFA) if RDP must be exposed.
- **Email Security:** Train personnel to meticulously scrutinize sender addresses, especially when encountering links claiming to be from internal services, Microsoft, or requiring web portal logins. Verify URLs before clicking.
- **Endpoint Detection:** Monitor for the installation and execution of utilities like RDPWrap and keyloggers, or unexpected installations like Japanese IMEs on standard servers.
- **Infrastructure Monitoring:** Implement robust security monitoring for web server environments (like XAMPP) for configuration changes or unexpected file creation (e.g., PHPMailer logs or phishing content).