N. Korean Hacking Group Has New Malware

Uploaded on 2020-11-13 in FREE TO VIEW

North Korean government-linked hackers have refined their malware tools and expanded their target lists over the past two years. New research from Kaspersky says the North Korean threat actor called Kimusky, have devoted “significant resources” to improving their capabilities and have been attacking governments.  The  Israeli cyber defense company Cybereason also says that it has discovered new malware and spyware also being used  Kimusky. 

Kimusky has spied on governments and private entities in the US, Europe, Japan, South Korea and Russia. Now the researchers have discovered new North Korean malware being used to drive information-stealing attacks against COVID-19 vaccine makers, human rights and other targets.

Kimsuky has been using some new malware in attacks on government agencies and human rights activists.
The attackers, which are also known as Black Banshee, Velvet Chollima, and Thallium, seems to have been active since at least 2012. Previously they mainly targeting think tanks in South Korea, but more recently they have expanded operations to attack the US, Europe, and Russia.

In a newly published Report, Cybereason provides details on two new malware families associated with Kimsuky, namely a previously undocumented modular spyware called KGH, and a new malware downloader called CSPY Downloader. 

KGH is spread via weaponised Word documents in phishing emails and containing multiple spyware modules. Recipients are encouraged to open the attachment, which purports to contain either an interview with a North Korean defector or a letter addressed to former Japanese Prime Minister, Shinzo Abe.

The new malware has already been used in attacks targeting government agencies and human rights activists. Alongside COVID-19 vaccine makers, the group has apparently targeted the UN Security Council, South Korean government, research institutes, think tanks, journalists and the military.

The malware helps attackers determine whether the target system is open to be compromise, and allows them to deploy additional payloads.The new tools show coding to be similar to an earlier Kimsuky malware that the hackers have used in earlier attacks. 

The hacking malware performs keylogging, download additional payloads, and execute arbitrary code, in addition to stealing information from applications such as Chrome, Edge, Firefox, Opera, Thunderbird, and Winscp. 

CSPY Downloader runs a series of checks to determine if a form of debugger is present in the targeted system. Also the document that drops the downloader performs similar checks.

Investigation into the new malware reveals that the attackers modified the creation/compilation timestamps of their new tools, to appear they were created in 2016. “The threat actors invested efforts in order to remain under the radar, by employing various anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques...report, some of the samples mentioned in the report are still not detected by any AV vendor,” Cybereason say.

CERT-CISA:         Israel  Defense:        Security Week:        Cyberscoop:           Infosecurity Magazine:

You Might Also Read: 

Russian Turla Hackers Specialise In Attacking  Government Agencies:

 

« Game-Changing Cyber Security Technology
Using Artificial Intelligence In Business »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CERT.GOV.AZ

CERT.GOV.AZ

Azerbaijan Government Computer Incident Response Team

Magic Software Enterprises

Magic Software Enterprises

Magic provide Mobile Device Management (MDM) for Secure Enterprise Mobility. Magic MDM overcomes the challenges of mobile device management security by protecting all of your devices, data and content

RiskLens

RiskLens

RiskLens is a software company that specializes in the quantification of cybersecurity risk.

MaxMind

MaxMind

MaxMind is an industry-leading provider of IP intelligence and online fraud detection tools.

Norwegian Center for Information Security (NorSIS)

Norwegian Center for Information Security (NorSIS)

NorSIS) is an independent organization that works to increase knowledge and understanding of information security for businesses and individuals.

SecureNinja

SecureNinja

SecureNinja provides professional training, certifications & professional services related to all facets of Information Technology and Cyber Security.

Vector Informatik

Vector Informatik

Vector Informatik is a specialist in automotove electronics and provides services, embedded software and tools for securing embedded systems against cyber-attacks.

British Security Industry Association - CySPAG

British Security Industry Association - CySPAG

CySPAG is a special interest group within the British Security Industry Association (BSIA) focused on reducing the risk of product related cybercrime.

Software Diversified Services (SDS)

Software Diversified Services (SDS)

SDS provides the highest quality mainframe software and award-winning, expert service with an emphasis on security, encryption, monitoring, and data compression.

CyberNet Albania

CyberNet Albania

Cybernet Albania has been providing IT support and services to small businesses since 2016. We strive to eliminate your IT issues before they cause downtime and impact your operations.

CyberLab

CyberLab

CyberLab (formerly Chess) is a specialist cyber security company that provides a wide range of security solutions and services.

11:11 Systems

11:11 Systems

11:11 Systems synchronizes every aspect of network services for your business. Build your network with the industry’s most trusted expert skills.

HEQA Security

HEQA Security

HEQA Security (formerly QuantLR) offer the world’s most cost-effective, easy-to-integrate, and secure Quantum Key Distribution (QKD) solution

Galvanick

Galvanick

Galvanick enables your operations and IT teams to protect your industrial systems and networks against digital threats.

Anatomy IT

Anatomy IT

Anatomy IT empowers healthcare providers to deliver exceptional patient care with cutting-edge technology and cybersecurity solutions.

CyFlare

CyFlare

CyFlare’s security platform integrates your tools with ours – delivering true positives, automated remediation, and interactive analytics built for security management teams.