N. Korean Hacking Group Has New Malware

North Korean government-linked hackers have refined their malware tools and expanded their target lists over the past two years. New research from Kaspersky says the North Korean threat actor called Kimusky, have devoted “significant resources” to improving their capabilities and have been attacking governments.  The  Israeli cyber defense company Cybereason also says that it has discovered new malware and spyware also being used  Kimusky. 

Kimusky has spied on governments and private entities in the US, Europe, Japan, South Korea and Russia. Now the researchers have discovered new North Korean malware being used to drive information-stealing attacks against COVID-19 vaccine makers, human rights and other targets.

Kimsuky has been using some new malware in attacks on government agencies and human rights activists.
The attackers, which are also known as Black Banshee, Velvet Chollima, and Thallium, seems to have been active since at least 2012. Previously they mainly targeting think tanks in South Korea, but more recently they have expanded operations to attack the US, Europe, and Russia.

In a newly published Report, Cybereason provides details on two new malware families associated with Kimsuky, namely a previously undocumented modular spyware called KGH, and a new malware downloader called CSPY Downloader. 

KGH is spread via weaponised Word documents in phishing emails and containing multiple spyware modules. Recipients are encouraged to open the attachment, which purports to contain either an interview with a North Korean defector or a letter addressed to former Japanese Prime Minister, Shinzo Abe.

The new malware has already been used in attacks targeting government agencies and human rights activists. Alongside COVID-19 vaccine makers, the group has apparently targeted the UN Security Council, South Korean government, research institutes, think tanks, journalists and the military.

The malware helps attackers determine whether the target system is open to be compromise, and allows them to deploy additional payloads.The new tools show coding to be similar to an earlier Kimsuky malware that the hackers have used in earlier attacks. 

The hacking malware performs keylogging, download additional payloads, and execute arbitrary code, in addition to stealing information from applications such as Chrome, Edge, Firefox, Opera, Thunderbird, and Winscp. 

CSPY Downloader runs a series of checks to determine if a form of debugger is present in the targeted system. Also the document that drops the downloader performs similar checks.

Investigation into the new malware reveals that the attackers modified the creation/compilation timestamps of their new tools, to appear they were created in 2016. “The threat actors invested efforts in order to remain under the radar, by employing various anti-forensics and anti-analysis techniques which included backdating the creation/compilation time of the malware samples to 2016, code obfuscation, anti-VM and anti-debugging techniques...report, some of the samples mentioned in the report are still not detected by any AV vendor,” Cybereason say.

CERT-CISA:         Israel  Defense:        Security Week:        Cyberscoop:           Infosecurity Magazine:

You Might Also Read: 

Russian Turla Hackers Specialise In Attacking  Government Agencies:

 

« Game-Changing Cyber Security Technology
Using Artificial Intelligence In Business »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Wizard Computing

Wizard Computing

Wizard Computer Services is a full service IT solutions provider that offers managed services, consultation, installation, and support to small and large businesses in New England.

RioRey

RioRey

The DDoS mitigation specialist, from single server to Enterprise wide carrier level networks the RioRey Solution provides effective immediate and easy to manage protection.

HDI

HDI

HDI is the worldwide professional association and certification body for the technical service and support industry.

iboss Network Security

iboss Network Security

The iboss cloud is designed to deliver Network Security as a Service, in the cloud, using the best malware engines, threat feeds and log analytics engines.

Perspective Risk

Perspective Risk

Perspective Risk provides penetration testing, security assessments, risk management & compliance solutions, InfoSec training and consultancy services.

Guidewire

Guidewire

Guidewire Cyence™ Risk Analytics is a cloud-native economic cyber risk modeling solution built to help the insurance industry quantify cyber risk exposures.

Institute for Cyber Security Innovation - Royal Holloway

Institute for Cyber Security Innovation - Royal Holloway

The Institute for Cyber Security Innovation aims to bring together Academia, Industry and Government to be a catalyst for applied research and innovation in cyber security policy and solutions.

Global Security Network (GSN)

Global Security Network (GSN)

GSN focuses on specialized IT Security solutions & services for the military, law enforcement, critical infrastructure and oil & gas sectors in the Middle East.

Exein

Exein

Exein are on a mission to build the world’s first ecosystem for firmware security so that all different types of firmware are secure around the world.

CSIRT GOV - Poland

CSIRT GOV - Poland

Computer Security Incident Response Team CSIRT GOV, run by the Head of the Internal Security Agency, acts as the national CSIRT responsible for coordinating the response to computer incidents.

ThreatSwitch

ThreatSwitch

ThreatSwitch a software platform for cleared federal contractors to get and stay compliant with NISPOM and Conforming Change 2.

Fifosys

Fifosys

Fifosys is a professional technology infrastructure specialist, delivering a broad portfolio of high quality technical and strategic managed services.

Communicate Technology

Communicate Technology

Communicate Technology are IT, telecoms and cyber-security specialists, keeping over 500 businesses and 50,000 users connected and secure across the UK.

Fortify 24/7

Fortify 24/7

Fortify 24×7 provides a robust portfolio of managed cybersecurity solutions to help you identify and prevent attacks.

Narf Industries

Narf Industries

Narf Industries are a small group of reverse engineers, vulnerability researchers and tool developers that specialize in tailored solutions for government and large enterprises.

Cygna Labs

Cygna Labs

Cygna Labs is a software developer and one of the top three global DDI (DNS, DHCP, and IP address management) vendors.