Skip to content

Kimsuky-linked APT campaign exploits RDP and MS Office flaws

  • by
  • 2 min read

An Advanced Persistent Threat (APT) operation, dubbed as Larva-24005, was uncovered actively exploiting critical flaws in Remote Desktop Protocol (RDP) and Microsoft Office applications to breach systems in multiple industries. The APT campaign was found to be linked to the infamous Kimsuky threat group.

The attackers mainly exploited two vulnerabilities: a critical RDP flaw (CVE-2019-0708), which allows remote code execution without authorisation, and the Microsoft Office Equation Editor vulnerability (CVE-2017-11882). After using the attack methods and gaining access, the adversaries delivered an advanced set of malware, such as MySpy and RDPWrap, to sustain the active remote access to the compromised systems.

The main targets of the attacks include the software, energy, and financial sectors of South Korea. Victims have also been identified in the United States, Japan, China, Singapore, Germany, and many other countries. ASEC analysts identified several specialised tools used by the APT group.

The findings consisted of two versions of RDP vulnerability scanners, specially crafted droppers and keyloggers developed to extract sensitive data. The threat actors, “have been sending phishing emails to South Korea and Japan,” ASEC said.

Although, certain tools were used in the attacks, many were found to be stored on affected systems without being used. The initial attack method varies according to the target. Specialised scanning tools are used in RDP-based attacks to identify vulnerable systems.

The two variants of the RDP scanner include a command-line and a graphical user interface (GUI) version. The GUI variant has extensive scanning features such as IP range specification, multi-threading options and connection timeout settings, allowing attackers to have maximum scanning efficiency. Following a successful breach, the dropper generates and runs the RDPWrap and MySpy information-gathering components.

MySpy gathers system information while RDPWrap modifies Windows system settings to allow remote connections, even on devices that would normally block the action. Access is maintained by making changes to the registry under the Windows shell startup key, allowing the tools to persist through system reboots.

In the final step, keyloggers such as KimaLogger and RandomQuery are executed to capture the user’s keyboard inputs. The campaign began in September 2023, representing a critical advancement in the threat group’s exploitation techniques, processes and tactics.

In the News: Meta expands AI-powered age verification on Instagram

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of spyware on pc

Russian hosting provider abused for malware delivery

This is an image of instagram featured

Meta expands AI-powered age verification on Instagram

This is an image of gmail featured 134

Google OAuth flaw exploited to bypass Gmail security filters

This is an image of data breach featured

Legends International suffers data breach affecting employees and venue visitors

This is an image of cyber security hacked breach

Freshly discovered Windows vulnerability already exploited in the wild

This is an image of court featured ss1

Indian consumer courts to accept complaints against WhatsApp

  • by
  • In News
>