Kaspersky reveals Kimsuky operation that is targeting South Korea

After months of investigation security researchers from Kaspersky have detected a new cyber espionage campaign dubbed Kimsuky that targeted South Korean organizations.

Kaspersky experts have discovered a new cyber espionage campaign dubbed Kimsuky due the names “kim” used by hackers for drop box email accounts during in the attacks.

“It’s interesting that the drop box mail accounts iop110112@hotmail.com and rsh1213@hotmail.com are registered with the following “kim” names: kimsukyang and “Kim asdfa”.”

The Kimsuky cyber espionage campaign appears to be originated in North Korea and hit numerous organizations, eleven of which located in the South Korea and two in China, including the Korea Institute For Defense Analyses (KIDA), The Sejong Institute, the Hyundai Merchant Marine and the Ministry of Unification.

According security experts the cyber criminals are interesting to collect information on international affairs  from organizations that support groups for Korean unification and produce defense policies for government, national shipping company and universities.

The Kaspersky researchers revealed that the operation presents distinctive characteristics in its execution and logistics. The investigation started after the team of experts detected an unsophisticated spy program that communicated with it control server via a public e-mail server, an approach followed by too many amateur malware authors.

However, there were a few things that attracted our attention:

• The public e-mail server in question was Bulgarian – mail.bg.
• The compilation path string contained Korean hieroglyphs.

These two facts compelled us take a closer look at this malware — Korean compilers alongside Bulgarian e-mail command-and-control communications. The complete path found in the malware presents some Korean strings:

D:\rsh\공격\UAC_dll(완성)\Release\test.pdb

The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:

D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb

The attackers infected victims with a malware able to remote controls the PC, logging keystrokes, stealing HWP documents ans collecting directory listings. At system startup, the basic library disables the system firewall and any firewall produced by the South Korean security product vendor AhnLab.

The bot agents communicate with C&C through the Bulgarian web-based free email server (mail.bg), it  maintains a hard coded credentials for its e-mail account. After authenticating, the malware sends emails to another specified email address, and reads emails from the Inbox.  Malware authors have implemented these procedures via the “mail. bg” web-interface with the use of the system Wininet API functions.

The Kaspersky team revealed that the campaign isn’t extended and despite it is not clear the vector used for malware diffusion it is likely that hackers served it via spear phishing emails.

The IP addresses used by the cyber criminals are all in ranges of China’s Jilin Province Network and the Liaoning Province Network, but the ISPs covering these areas maintain lines in North Korea.

 

All the evidences collected led security researchers to suppose that the attackers behind Kimsuky operation are based in North Korea.