The Hacker News

 

 

The Hacker News

The Hacker News has been internationally recognized as a leading news source dedicated to promoting awareness for security experts and hackers // via fulltextrssfeed.com

Kaspersky revealed "Kimsuky" Cyber Espionage campaign targeting South Korea
9/12/2013 8:05:00 AM

Russian Security Firm Kaspersky Lab has revealed that it has been following a sustained attack on South Korea by hackers seemingly based in North Korea., 

This new Cyber Espionage campaign dubbed "Kimsuky" has targeted several South Korean think tanks. Researchers believe the Kimsuky malware is most likely delivered via spear-phishing e-mails and used multiple Dropbox email accounts

"It's interesting that the drop box mail accounts iop110112@hotmail.com and rsh1213@hotmail.com are registered with the following "kim" names: kimsukyang and "Kim asdfa"

The Kaspersky researchers revealed that the operation presents distinctive characteristics in its execution and logistics. The investigation started after the team of experts detected an unsophisticated spy program that communicated with it control server via a public e-mail server, an approach followed by too many amateur malware authors.

Victims download a Trojan dropper which is used to download additional malware, which has the ability to perform the following espionage functions including keystroke logging, directory listing collection, remote control access and HWP document theft.

The complete path found in the malware presents some Korean strings:

D:\rsh\??\UAC_dll(??)\Release\test.pdb

The "rsh" word, by all appearances, means a shortening of "Remote Shell" and the Korean words can be translated in English as "attack" and "completion", i.e.:

D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb

At system startup, the basic library disables the system firewall and any firewall produced by the South Korean security product vendor AhnLab. The malware does not include a custom back door, instead the attackers modified a TeamViewer client as a remote control module.

Bot agents communicate with C&C through the Bulgarian web-based free email server (mail.bg), it maintains a hard coded credentials for its e-mail account. After authenticating, the malware sends emails to another specified email address, and reads emails from the Inbox.

Espionage campaign appears to be originated in North Korea. The researchers identified 10 IP addresses indicating that the attackers used networks in China's Jilin and Liaoning provinces, which border North Korea.

Attackers were interested in targeting 11 organizations based in South Korea and two entities in China including the Sejong Institute, Korea Institute For Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine and The supporters of Korean Unification.

Latest Hacking News Updates

Author details

Pierluigi Paganini is Company Director, Researcher, Security Evangelist, Security Analyst and Freelance Writer. Security expert with over 20 years experience in the field. The passion for writing and a strong belief that security is founded on sharing and awareness led me to found the security blog 'Security Affairs' He is also Author of the book "The Deep Dark Web". Follow him @ Facebook | Google | Email | Twitter

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions