Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

North Korea Suspected in Cyber-espionage Attacks Against South Korean Entities

Kaspersky Lab has uncovered details of an ongoing cyber-espionage campaign targeting South Korean think tanks.

Kaspersky Lab has uncovered details of an ongoing cyber-espionage campaign targeting South Korean think tanks.

The campaign, named “Kimsuky” by Kaspersky researchers, is extremely limited and highly targeted, and has only gone after 11 organizations in South Korea and two organizations in China.

Targets identified by Kaspersky include Sejong Institute (China), Korea Institute For Defense Analyses (KIDA), South Korea’s Ministry of Unification, Hyundai Merchant Marine and The supporters of Korean Unification.

According to Kaspersky Lab, the first signs of the attacker’s activity date back to April 3 of this year, with the first samples of the Kimsuky Trojan (Trojan.Win32.Kimsuky) surfacing on May 5.

South Korea Operation Troy

Kaspersky describes the Trojan an “unsophisticated spy program that includes several basic coding errors and handles communications to and from infected machines via a Bulgarian web based free e-mail server (”

It is assumed that the malware is being delivered via spear-phishing attacks, though the researchers are not positive on the exact attack vector.

“When running on Windows 7, the malicious library uses the Metasploit Framework’s open-source code Win7Elevate to inject malicious code into explorer.exe,” Dmitry Tarakanov, a Kaspersky Lab expert, explained in a blog post. “In any case, be it Windows 7 or not, this malicious code decrypts its spying library from resources, saves it to disk with an apparently random but hardcoded name, for example, ~DFE8B437DD7C417A6D.TMP, in the user’s temporary folder and loads this file as library.”

While the malware may not be complex, Kaspersky’s researchers say it has the ability to log keystrokes, collect directory listings, and remotely control an infected system. The malware also contains a dedicated component designed for stealing HWP documents, files related to the South Korean word processing program from the Hancom Office bundle, used by the local government.

The attackers are using a modified version of the TeamViewer remote access application to serve as a backdoor to hijack files from the infected machines, Kaspersky said.

The “real” version of TeamViewer is actually a legitimate software product designed to provide remote computer support. This is not the first time a hacked version of TeamViewer was used in attacks.

Earlier this year, CrySyS Lab, the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics, unveiled details on a near decade-long cyber espionage operation aimed at high profile targets, that also used a modified version of TeamViewer.

While Kaspersky Lab did not officially name an attacker or nation-state behind the campaign, Kaspersky Lab’s experts not surprisingly suspect North Korea as the origin of the attackers.

An interesting feature of the Kimsuky malware is that it was programmed to disable security software from AhnLab, a South Korean anti-malware firm.

According to Kaspersky, two email addresses to which bots send reports on status and transmit infected system information via attachments – [email protected] and [email protected] – are registered with the following “kim” names: “kimsukyang” and “Kim asdfa”.

“Even though this registration data does not provide hard data about the attackers, the source IP-addresses of the attackers fit the profile: there are 10 originating IP-addresses, and all of them lie in ranges of the Jilin Province Network and Liaoning Province Network in China. The ISPs providing Internet access in these provinces are also believed to maintain lines into parts of North Korea,” the security firm explained.

This is by no means the first attack campaign found targeting South Korea, as the country has been the target of several high profile attacks this year alone.

In March, attackers used data-wiping malware against targets in South Korea that infected several South Korean banks and local broadcasting organizations.

In June, researchers from Seculert shared details on malware behind a string of attacks used by several Chinese-speaking groups over the last four years to target different worldwide organizations and nation-states, with the most recent set of attacks targeted dozens of organizations in South Korea.

Also in June, researchers at Symantec attributed at least part of the recent cyber-attacks against South Korea to a sophisticated hacker crew known as DarkSeoul.

Earlier this year South Korea said it would double its cyber-security budget and train 5,000 cyber warriors in response to growing concern over its vulnerability to attacks it blames on North Korea. 

RelatedSouth Korea Cyber Attack Tied to DarkSeoul Crew: Symantec

Related‘PinkStats’ Malware Used in Attacks Against South Korea, Others 

RelatedSouth Korea Sounds Alert After Official Websites Hacked

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...