N. Korean Hacking Group Has New Malware

Uploaded on 2020-11-13 in FREE TO VIEW

North Korean government-linked hackers have refined their malware tools and expanded their target lists over the past two years. New research from Kaspersky says the North Korean threat actor called Kimusky, have devoted “significant resources” to improving their capabilities and have been attacking governments.  The  Israeli cyber defense company Cybereason also says that it has discovered new malware and spyware also being used  Kimusky. 

Kimusky has spied on governments and private entities in the US, Europe, Japan, South Korea and Russia. Now the researchers have discovered new North Korean malware being used to drive information-stealing attacks against COVID-19 vaccine makers, human rights and other targets.

Kimsuky has been using some new malware in attacks on government agencies and human rights activists.
The attackers, which are also known as Black Banshee, Velvet Chollima, and Thallium, seems to have been active since at least 2012. Previously they mainly targeting think tanks in South Korea, but more recently they have expanded operations to attack the US, Europe, and Russia.

In a newly published Report, Cybereason provides details on two new malware families associated with Kimsuky, namely a previously undocumented modular spyware called KGH, and a new malware downloader called CSPY Downloader. 

KGH is spread via weaponised Word documents in phishing emails and containing multiple spyware modules. Recipients are encouraged to open the attachment, which purports to contain either an interview with a North Korean defector or a letter addressed to former Japanese Prime Minister, Shinzo Abe.

The new malware has already been used in attacks targeting government agencies and human rights activists. Alongside COVID-19 vaccine makers, the group has apparently targeted the UN Security Council, South Korean government, research institutes, think tanks, journalists and the military.

The malware helps attackers determine whether the target system is open to be compromise, and allows them to deploy additional payloads.The new tools show coding to be similar to an earlier Kimsuky malware that the hackers have used in earlier attacks. 

The hacking malware performs keylogging, download additional payloads, and execute arbitrary code, in addition to stealing information from applications such as Chrome, Edge, Firefox, Opera, Thunderbird, and Winscp. 

CSPY Downloader runs a series of checks to determine if a form of debugger is present in the targeted system. Also the document that drops the downloader performs similar checks.

Investigation into the new malware reveals that the attackers modified the creation/compilation timestamps of their new tools, to appear they were created in 2016. “The threat actors invested efforts in order to remain under the radar, by employing various anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques...report, some of the samples mentioned in the report are still not detected by any AV vendor,” Cybereason say.

CERT-CISA:         Israel  Defense:        Security Week:        Cyberscoop:           Infosecurity Magazine:

You Might Also Read: 

Russian Turla Hackers Specialise In Attacking  Government Agencies:

 

« Game-Changing Cyber Security Technology
Using Artificial Intelligence In Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Blue Solutions

Blue Solutions

Blue Solutions is a consultancy-led, accredited software distributor who provides IT solutions and support to small and medium enterprises.

Kenexis

Kenexis

Kenexis is a consulting engineering firm providing services for process hazards analysis, fire and gas mapping, and industrial cybersecurity.

Digitronic Computersysteme

Digitronic Computersysteme

Digitronic focus on innovative software to protect your personal and sensitive corporate data.

NXO France

NXO France

NXO is an independent leader in the integration and management of digital workflows with services covering digital infrastructures, communications & collaboration, and security.

Outsource UK

Outsource UK

Outsource UK is an independent recruitment company supplying highly-skilled technology, change and engineering talent to clients within a range of specialist sectors including Cyber Security.

Get Safe Online

Get Safe Online

Get Safe Online is a leading source of unbiased, factual and easy-to-understand information on online safety.

Altipeak Security

Altipeak Security

Altipeak Security provide Safewalk - a flexible and robust authentication platform through which we offer improved security to SMBs, corporates, banks, insurance companies, healthcare and more.

Cycode

Cycode

Cycode is the industry’s first source code control, detection, and response platform.

Charities Security Forum (CSF)

Charities Security Forum (CSF)

The Charities Security Forum is the premier membership group for information security people working for charities and not-for-profits in the UK.

Nominet

Nominet

Nominet's cyber division offers network detection and response services to governments and enterprises worldwide.

WebOrion

WebOrion

WebOrion is an All-in-One Web Security & Performance Suite. Fortify, accelerate and monitor your website today.

Breadcrumb Cybersecurity

Breadcrumb Cybersecurity

Breadcrumb Cybersecurity is a cybersecurity and advisory firm. We specialize in penetration testing, threat hunting, incident response, regulatory compliance, and employee training services.

Proximity

Proximity

Proximity is a leading professional services organisation providing consulting, legal and commercial advisory solutions with a focus on government and regulated industries.

Ibento Global

Ibento Global

Ibento organises the CyberX series of cybersecurity conferences.

Arista Middle East

Arista Middle East

Arista Middle East is part of Global Arista Technologies specializing in OT Cybersecurity.

Camelot Secure

Camelot Secure

Camelot Secure Secure360 platform is a holistic redefinition of what world-class cybersecurity strategies can be. Prepare. Protect. Deploy.

White Knight Labs

White Knight Labs

White Knight Labs is a cyber security consultancy that specializes in cybersecurity training.

CyberMass

CyberMass

CyberMass provides Cyber Advisory/Consulting, Professional and Managed Services offering complete cybersecurity as a service protection to businesses.