News New spyware used by North Korean hackers from Kimsuky discovered


Tasken

Advanced
Joined
22.09.20
Messages
127
Reaction score
1,062
Points
63
Security researchers from the company Cybereason told about the new malware that was used by the North Korean group Kimsuky (also known as Black Banshee, Velvet Chollima and Thallium) during attacks on government institutions in South Korea.

Earlier, the cybersecurity and infrastructure security Agency (CISA), the Federal Bureau of investigation (FBI) and the cyber National Mission Force (CNMF) (CNMF) issued a joint warning about a malicious campaign organized by the North Korean group Kimsuky.

The group is believed to have been operating since 2012 and is collecting intelligence. The main tactic of cybercriminals is targeted phishing. Kimsuky attacks recognized experts in various fields, think tanks, and government agencies in South Korea.

Now a team of Nocturnus specialists from Cybereason has provided detailed information about two new malware families used by Kimsuky — a previously unknown modular spyware called KGH_SPY and a new malware Downloader called CSPY Downloader.

KGH_SPY is a modular set of tools that allows you to perform cyber espionage operations, including intelligence, keylogging, information theft, and backdoor access to compromised systems.

CSPY Downloader, on the other hand, was designed to protect against detection and has advanced anti-analysis capabilities. The malware helps attackers determine whether the target system is "clean" for further hacking, and allows them to deploy additional payloads.

Spyware is distributed using malicious documents that perform extensive analysis of the target system. The malware can provide persistence on the system, perform keylogging, load additional payloads, and execute arbitrary code, in addition to stealing information from applications such as Chrome, Edge, Firefox, Opera, Thunderbird, and Winscp.

The CSPY Downloader does not launch an additional payload until a series of checks are performed to determine whether the SOFTWARE is running in a virtual environment or whether a debugger is present on the system. Analysis of the new malware showed that the attackers changed the creation/compilation timestamps of their tools so that they were dated back to 2016.
 
Top Bottom