The Cybereason Nocturnus Team has identified a newly discovered modular spyware suite dubbed KGH_SPY and a new malware strain dubbed CSPY Downloader. This is being employed in attacks by the cyber espionage group Kimsuky, which is believed to be operating on behalf of the North Korean regime. This APT group has been observed targeting a wide array of victims that include public and private sector companies in the U.S., Europe, Japan, South Korea, and Russia.
The target organizations include pharmaceutical and research companies working on COVID-19 therapies, government and defense organizations, journalists, and various human rights groups.
Read The Full Research
KEY OBSERVATIONS & TTPS
- New Modular Spyware Suite: KGH_SPY is a modular suite of tools that provides the threat actors with reconnaissance, keylogging, information stealing and backdoor capabilities
- Stealthy New Malware: CSPY Downloader is a tool designed to evade analysis and download additional payloads
- New Infrastructure: Newly discovered infrastructure registered between 2019-2020 that overlaps with another Kimsuky’s malware called BabyShark that was used in the past to target US-based Think tanks.
- Anti-Forensics: The creation/compilation timestamps of malware in the report appear to have been tampered with and backdated to 2016 in an attempt to thwart forensic investigation.
- Behavioral and Code Similarities to Other Kimsuky Malware: The newly discovered malware shares various behavioral and code similarities to known Kimsuky malware, including: code signing with EGIS revoked certificate; shared strings; file naming convention; string decryption algorithms; PDB paths referencing authors / projects.
- Undetected by Antivirus: At the time of writing this report, some of the mentioned tools are not detected by any antivirus vendors except Cybereason.
- Previous Targets Include: Pharmaceutical/Research companies working on COVID-19 vaccines and therapies; UN Security Council; South Korean Ministry of Unification; Various Human Rights Organizations; Korea Institute for Defense Analysis; Various Education and Academic Organizations; Various Think Tanks; Government Research Institutes; Journalists covering Korean Peninsula relations; South Korean Military.
- Read the full length research here.