Researchers Uncover Kimsuky Espionage Campaign Against South Korea

Kaspersky Lab has discovered an espionage campaign called Kimsuky originating in North Korea targeting government think tanks in South Korea.

For the time being, things on the Korean peninsula may have quieted down politically and militarily. But hackers on both sides continue to take shots at each other.

The latest salvo appears to be coming from North Korea, which has been conducting an extensive espionage campaign against specific targets in the South. Researchers at Kaspersky Lab’s Global Research and Analysis Team have been monitoring a malware attacks targeting government and military think tanks in the South, as well as shipping services company.

The Kimsuky Operation—so-named after the Hotmail email addresses used as drop points for stolen data—so far has targeted data from international affairs research groups at South Korean universities, government defense policy think tanks, the national shipping company of South Korea, and groups supporting Korean unification. All of those targets would be of interest to the North Koreans, researchers at Kaspersky said, adding also that IP addresses involved in the attacks are located in China and the ISPs providing access in these attacks also maintain lines into the North.

Researcher Dmitry Tarakanov wrote in a blogpost on Securelist this morning that the team was ready to ignore these attacks as amateurish until they noticed a public mail server involved as a command and control server in the campaign maintained in Bulgaria, as well as a compilation path string containing Korean hieroglyphs translated to remote shell, attack and completion.

“There are a lot of minimal malicious programs involved in this campaign, but strangely they each implement a single spying function,” Tarakanov wrote.

The malware used in these attacks performs a number of functions that help the attackers spy on victims, harvest data and report it back. Separate modules in the campaign include a keystroke logger, directory listing collecter, HWP document theft, remote control download and execution, and remote control access modules.

Tarakanov said the initial infection points are yet unknown, but speculates that part of the campaign is initiated via spear phishing emails. Victims download a Trojan dropper which is used to download additional malware.

“It does not maintain exports and simply delivers another encryption library maintained in its resource section,” Tarakanov wrote. “The second library performs all the espionage functionality.”

Once the malware is on a victim’s machine, it will, at startup, disable the system firewall and an AhnLab firewall if it’s present; AhnLab is a South Korean security vendor. Windows Security Center is also shut off. The malware then begins communicating to the operator through the Bulgarian free webmail service.

The campaign uses a run-of-the-mill keylogger, a similar format to the Madi Malware, Kaspersky researchers said. As for the directory listing capability, researchers saw one sample collector infected with a virus of Chinese origin known as Viking.

“For the attackers, this is certainly a big failure,” Tarakanov wrote. “Not only does the original spying program have marks of well-known malware that can be detected by antimalware products; moreover the attackers are revealing their secret activities to cybercriminal gangs. However, by all appearances, the attackers noticed the unwanted addition to their malware and got rid of the infection.”

The campaign focuses too on stealing HWP documents; HWP is a file format similar to Microsoft Word and is from the Hancom Office bundle, widely used in South Korea. This particular module, however, does not search for HWP files on an infected computer, but only interacts with those opened by the user and then steals them.

“This behavior is very unusual for a document-stealing component and we do not see it in other malicious toolkits,” Tarakanov said.

Tarakanov notes too that the malware does not include a custom backdoor, instead the attackers modified a TeamViewer client as a remote control module. Three executables are delivered via email; two are TeamView components and the third is a backdoor loader.

Suggested articles