The “Kimsuky” Operation: A North Korean APT?
Contents
For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored.
However, there were a few things that attracted our attention:
- The public e-mail server in question was Bulgarian – mail.bg.
- The compilation path string contained Korean hieroglyphs.
These two facts compelled us take a closer look at this malware — Korean compilers alongside Bulgarian e-mail command-and-control communications.
The complete path found in the malware presents some Korean strings:
D:rsh공격UAC_dll(완성)Releasetest.pdb
The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:
D:rshATTACKUAC_dll(COMPLETION)Releasetest.pdb
Although the full …
However, there were a few things that attracted our attention:
- The public e-mail server in question was Bulgarian – mail.bg.
- The compilation path string contained Korean hieroglyphs.
These two facts compelled us take a closer look at this malware — Korean compilers alongside Bulgarian e-mail command-and-control communications.
The complete path found in the malware presents some Korean strings:
D:rsh공격UAC_dll(완성)Releasetest.pdb
The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:
D:rshATTACKUAC_dll(COMPLETION)Releasetest.pdb
Although the full …