Cybersecurity researchers have marked a new malicious campaign associated with the North Korean state actor known as Kimas This exploits now, which is a vulnerability that affects Microsoft’s desktop services to gain initial access.
Activities has been named Larva-24005 In the center of the AHNLAB security intelligence (ASEC).
“In some systems, the initial access was obtained from the operation of the RDP (Bluekeep, Cve-2019-0708), South Korean Cybersecurity Company – Note. “While the compromised system found the RDP vulnerability, no evidence of its actual use.”
Cve-2019-0708 (CVSS’s assessment: 9.8) – this Critical worm error In remote desktop services that could include the removed code, allowing unauthorized attackers to install arbitrary programs, access to data, and even create new user rights accounts.
However, in order for the opponent to use the deficiency, they would need to send a specially designed request to the remote desktop target through RDP. It was fixed by Microsoft in May 2019.
Another initial access vector taken by the actor threats is to use Phishing mail Built -in files that cause the vulnerability of the equation (Cve-2017-1188CVS’s assessment: 7.8).
After accessing access, the attackers continue to use a dropper to install the malicious software called MySpy, and the RDPWRAP tool called RDPWRAP, in addition to changing the system settings to ensure RDP access. Myspy is designed to collect system information.
Attack ends with a key deployment such as Kimalogger and Casual part To capture the key.
The company is estimated that since October 2023 since October 2023, since October 2023 in South Korea and Japan, mostly software, energy and financial sector. Some of other countries aimed at the group include the US, China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand and Palland.
