• Critical Vulnerability and Privacy LoopHole Found in RoboForm Password Manager

    Unless you are a human supercomputer, remembering password is not so easy, and that too if you have a different password for each site. But luckily...

  • miniLock - Open Source File Encryption Tool from CryptoCat Developer

    It’s the age of surveillance what made the Use of Encryption so widely that it has become a need of law enforcement agencies, cyber criminals as...

  • A BEGINNERS GUIDE TO HACKING UNIX

      *************  *       A BEGINNERS GUIDE TO:        *  *        ...

  • CASH! CASH! Hacking ATM Machines with Just a Text Message

    As we reported earlier, Microsoft will stop supporting the Windows XP operating system after 8th April, apparently 95% of the world’s 3 million...

  • Microsoft Word Zero-Day Vulnerability is being exploited in the Wild

    Microsoft warned about a zero-day vulnerability in Microsoft Word that is being actively exploited in targeted attacks and discovered by the...

  • Snoopy Drone Can Hack Your Smartphones

    The use of unmanned aerial vehicles (UAVS) called Drones is rapidly transforming the way we go to war. Drones were once used for...

  • Android Privilege Escalation Flaws leave Billions of Devices vulnerable to Malware Infection

    Android - a widely used Smartphone platform offered by Google is once again suspected to affect its users with malicious software that puts...

  • Introduction to Netcat

    Introduction : So I was messing around on the internet and came across a tool called Netcat.  I've been messing with it for a couple of...

  • Google Nexus phone vulnerable to SMS-based DOS attack

    Google’s Nexus Smartphones are vulnerable to SMS-based DOS attack, where an attacker can force it to restart, freeze, or lose network...

  • Linux worm targeting Routers, Set-top boxes and Security Cameras with PHP-CGI Vulnerability

    A Symantec researcher has discovered a new Linux worm, targeting machine-to-machine devices, and exploits a PHP vulnerability...

Thursday, 12 September 2013

Kaspersky revealed "Kimsuky" Cyber Espionage campaign targeting South Korea

Russian Security Firm Kaspersky Lab has revealed that it has been following a sustained attack on South Korea by hackers seemingly based in North Korea., 


This new Cyber Espionage campaign dubbed "Kimsuky" has targeted several South Korean think tanks. Researchers believe the Kimsuky malware is most likely delivered via spear-phishing e-mails and used multiple Dropbox email accounts
"It’s interesting that the drop box mail accounts iop110112@hotmail.com and rsh1213@hotmail.com are registered with the following “kim” names: kimsukyang and “Kim asdfa
The Kaspersky researchers revealed that the operation presents distinctive characteristics in its execution and logistics. The investigation started after the team of experts detected an unsophisticated spy program that communicated with it control server via a public e-mail server, an approach followed by too many amateur malware authors.

Victims download a Trojan dropper which is used to download additional malware, which has the ability to perform the following espionage functions including keystroke logging, directory listing collection, remote control access and HWP document theft.
The complete path found in the malware presents some Korean strings:
D:\rsh\공격\UAC_dll(완성)\Release\test.pdb
The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:
D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb
At system startup, the basic library disables the system firewall and any firewall produced by the South Korean security product vendor AhnLab. The malware does not include a custom back door, instead the attackers modified a TeamViewer client as a remote control module.

Bot agents communicate with C&C through the Bulgarian web-based free email server (mail.bg), it maintains a hard coded credentials for its e-mail account. After authenticating, the malware sends emails to another specified email address, and reads emails from the Inbox.

Espionage campaign appears to be originated in North Korea. The researchers identified 10 IP addresses indicating that the attackers used networks in China's Jilin and Liaoning provinces, which border North Korea.

Attackers were interested in targeting 11 organizations based in South Korea and two entities in China including the Sejong Institute, Korea Institute For Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine and The supporters of Korean Unification.


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)