Kaspersky Lab has uncovered details of an ongoing cyber-espionage campaign targeting South Korean think tanks.
The campaign, named “Kimsuky” by Kaspersky researchers, is extremely limited and highly targeted, and has only gone after 11 organizations in South Korea and two organizations in China.
Targets identified by Kaspersky include Sejong Institute (China), Korea Institute For Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine and The supporters of Korean Unification.
According to Kaspersky Lab, the first signs of the attacker’s activity date back to April 3 of this year, with the first samples of the Kimsuky Trojan (Trojan.Win32.Kimsuky) surfacing on May 5.
Kaspersky describes the Trojan an “unsophisticated spy program that includes several basic coding errors and handles communications to and from infected machines via a Bulgarian web based free e-mail server (mail.bg).”
It is assumed that the malware is being delivered via spear-phishing attacks, though the researchers are not positive on the exact attack vector.
"When running on Windows 7, the malicious library uses the Metasploit Framework’s open-source code Win7Elevate to inject malicious code into explorer.exe," Dmitry Tarakanov, a Kaspersky Lab expert, explained in a blog post. "In any case, be it Windows 7 or not, this malicious code decrypts its spying library from resources, saves it to disk with an apparently random but hardcoded name, for example, ~DFE8B437DD7C417A6D.TMP, in the user’s temporary folder and loads this file as library."
While the malware may not be complex, Kaspersky’s researchers say it has the ability to log keystrokes, collect directory listings, and remotely control an infected system. The malware also contains a dedicated component designed for stealing HWP documents, files related to the South Korean word processing program from the Hancom Office bundle, used by the local government.
The attackers are using a modified version of the TeamViewer remote access application to serve as a backdoor to hijack files from the infected machines, Kaspersky said.
The “real” version of TeamViewer is actually a legitimate software product designed to provide remote computer support. This is not the first time a hacked version of TeamViewer was used in attacks.
Earlier this year, CrySyS Lab, the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics, unveiled details on a near decade-long cyber espionage operation aimed at high profile targets, that also used a modified version of TeamViewer.
While Kaspersky Lab did not officially name an attacker or nation-state behind the campaign, Kaspersky Lab's experts not surprisingly suspect North Korea as the origin of the attackers.
An interesting feature of the Kimsuky malware is that it was programmed to disable security software from AhnLab, a South Korean anti-malware firm.
According to Kaspersky, two email addresses to which bots send reports on status and transmit infected system information via attachments – firstname.lastname@example.org and email@example.com – are registered with the following “kim” names: “kimsukyang” and “Kim asdfa”.
“Even though this registration data does not provide hard data about the attackers, the source IP-addresses of the attackers fit the profile: there are 10 originating IP-addresses, and all of them lie in ranges of the Jilin Province Network and Liaoning Province Network in China. The ISPs providing Internet access in these provinces are also believed to maintain lines into parts of North Korea,” the security firm explained.
This is by no means the first attack campaign found targeting South Korea, as the country has been the target of several high profile attacks this year alone.
In March, attackers used data-wiping malware against targets in South Korea that infected several South Korean banks and local broadcasting organizations.
In June, researchers from Seculert shared details on malware behind a string of attacks used by several Chinese-speaking groups over the last four years to target different worldwide organizations and nation-states, with the most recent set of attacks targeted dozens of organizations in South Korea.
Also in June, researchers at Symantec attributed at least part of the recent cyber-attacks against South Korea to a sophisticated hacker crew known as DarkSeoul.
Earlier this year South Korea said it would double its cyber-security budget and train 5,000 cyber warriors in response to growing concern over its vulnerability to attacks it blames on North Korea.