Kaspersky experts have revealed a new cyber espionage effort being dubbed Kimsuky due the names “kim” used by hackers for Dropbox email accounts during in the attacks.
“It’s interesting that the drop box mail accounts [email protected] and [email protected] are registered with the following “kim” names: kimsukyang and ‘Kim asdfa’.”
The Kimsuky cyber espionage campaign seems to have been developed in North Korea and hit many systems, eleven of which located in the South Korea and two in China, including the Korea Institute For Defense Analyses (KIDA), The Sejong Institute, the Hyundai Merchant Marine and the Ministry of Unification.
The researchers discovered that the campaign portrays distinctive features in its execution and logistics. The investigation started after the team of experts noticed an unsophisticated spy program that transmitted with a control server via a public email host, an approach of too many amateur malware authors.
However, there were a few things that attracted our attention:
- The public e-mail server in question was Bulgarian – mail.bg.
- The compilation path string contained Korean hieroglyphs.
These two facts compelled us take a closer look at this malware — Korean compilers alongside Bulgarian e-mail command-and-control communications. The complete path found in the malware presents some Korean strings:
D:\rsh\공격\UAC_dll(완성)\Release\test.pdb
The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:
D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb
The attackers infected victims with a malware able to remote controls the PC, logging keystrokes, stealing HWP documents and collecting directory listings. At system startup, the basic library disables the system firewall and any firewall produced by the South Korean security product vendor AhnLab.
The bot agents communicate with the C&C through the Bulgarian web-based free email server (mail.bg), and contains the credentials for its e-mail account hardcoded into the malware itself.
All the evidences collected led security researchers to suppose that the attackers behind Kimsuky operation are based in North Korea.