Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to gain initial access.
The activity has been named Larva-24005 by the AhnLab Security Intelligence Center (ASEC).
“In some systems, initial access was gained through exploiting the RDP vulnerability (BlueKeep, CVE-2019-0708),” the South Korean cybersecurity company said. “While an RDP vulnerability scanner was found in the compromised system, there is no evidence of its actual use.”
CVE-2019-0708 (CVSS score: 9.8) is a critical wormable bug in Remote Desktop Services that could enable remote code execution, allowing unauthenticated attackers to install arbitrary programs, access data, and even create new accounts with full user rights.
However, in order for an adversary to exploit the flaw, they would need to send a specially crafted request to the target system Remote Desktop Service via RDP. It was patched by Microsoft in May 2019.
Another initial access vector adopted by the threat actor is the use of phishing mails embedding files that trigger another known Equation Editor vulnerability (CVE-2017-11882, CVSS score: 7.8).
Once access is gained, the attackers proceed to leverage a dropper to install a malware strain dubbed MySpy and a RDPWrap tool referred to as RDPWrap, in addition to changing system settings to allow RDP access. MySpy is designed to collect system information.
The attack culminates in the deployment of keyloggers like KimaLogger and RandomQuery to capture keystrokes.
The campaign is assessed to have been sent to victims in South Korea and Japan, mainly software, energy, and financial sectors in the former since October 2023. Some of the other countries targeted by the group include the United States, China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand, and Poland.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
The Hacker News
