Cybereason, the leader in future-ready attack protection, today announced that the Cybereason Nocturnus Team has identified a newly discovered modular spyware suite dubbed KGH_SPY and a new malware strain dubbed CSPY Downloader being employed in attacks by cyber espionage group Kimsuky which is believed to be operating on behalf of the North Korean regime.
This APT group has been observed targeting a wide array of victims that include public and private sector companies in the U.S., Europe, Japan, South Korea and Russia. The target organizations include pharmaceutical and research companies working on COVID-19 therapies, government and defense organizations, journalists and various human rights groups. The full report is available here:
Kimsuky (aka Velvet Chollima, Black Banshee and Thallium) has been active since 2012 and is known for their complex infrastructure that uses free-registered domains, compromised domains and private domains registered by the group. The Cybereason Nocturnus Team also observed operational infrastructure overlaps with BabyShark malware and connections to malware such as the AppleSeed backdoor.
The KGH_SPY suite infection vector appears to be by way of Word documents containing malicious macros, and the malware includes several components used to harvest information, run arbitrary commands and spy on the user activities by way of a keylogger and a backdoor component. Some of the components of the KGH Spyware suite remain undetected by antivirus vendors.
CSPY Downloader is a sophisticated tool with extensive anti-analysis and evasion capabilities that allow the attackers to determine if “the coast is clear” before downloading additional payloads. In addition to the phishing documents which focus on Korean-related topics, other forensic evidence embedded in the malware itself includes Korean language snippets from the time of the malware’s creation.
“Kimsuky has a rich and notorious history dating back to 2012 of targeting South Korea, but over the past few years they have expanded their global reach. Our newest discovery shows Kimsuky carrying out targeted cyber espionage campaigns against an array of victims including governments, research institutes and human rights groups. Since the new malware is quite new, the true scope of the threat it poses is unknown, but given Kimsuky’s track record this spyware is likely to be of serious concern to both public and private sector organizations,” said Assaf Dahan, Senior Director, Head of Threat Research, Cybereason.
Cybereason is the champion for today’s cyber defenders providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere. Cybereason is a privately held, international company headquartered in Boston with customers in more than 30 countries.
Senior Director, Global Public Relations