Kimsuky APT: Operation’s possible North Korean links uncovered
For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its “master” via a public e-mail server. This approach is rather inherent to many amateur virus-writers.
However, there were a few things that attracted our attention:
- The public e-mail server in question was Bulgarian – mail.bg.
- The compilation path string contained Korean hieroglyphs.
The complete path found in the malware presents some of the Korean strings:
D:\rsh\공격\UAC_dll(완성)\Release\test.pdb
The “rsh” word, by all appearances, means a shortening of “Remote Shell” and the Korean words can be translated in English as “attack” and “completion”, i.e.:
D:\rsh\ATTACK\UAC_dll(COMPLETION)\Release\test.pdb
We managed to identify several targets. Here are some of the organizations that the attackers were interested in targeting:
| The Sejong Institute | ||
| The Sejong Institute is a non-profit private organization for public interest and a leading think tank in South Korea, conducting research on national security strategy, unification strategy, regional issues, and international political economy. | ||
Read more: Kimsuky APT: Operation’s possible North Korean links uncovered