Cybereason uncovers North Korean malware used against companies around the world that also steals COVID-19 research.
By Yakir Benzion, United With Israel
An Israeli cybersecurity company announced Monday that ity identified new spyware linked to the cyberespionage group “Kimsuky” that is operating on behalf of the North Korean regime.
Cybereason said that its Nocturnus Team has identified the modular spyware suite dubbed KGH_SPY and a new malware strain dubbed CSPY Downloader that Kimsuky is using.
Kimsuky is an Advanced Persistent Threat (APT) group – shadowy organizations that according to cyber expert Ronald Mendell carry out “attacks on a country’s information assets of national security or strategic economic importance through either cyberespionage or cybersabotage.”
Cyberreason said the latest attacks targeted a wide array of victims, including public and private sector companies in the U.S., Europe, Japan, South Korea and even Russia.
Given the nature of North Korean dictator Kim Jong-un‘s paranoid leadership, it is not surprising that the victims of the attacks include pharmaceutical and research companies working on COVID-19 therapies, government and defense organizations, journalists and various human rights groups.
Kimsuky also goes by the names Velvet Chollima, Black Banshee and Thallium. The well-oiled group of cyber-hacker experts has been active since 2012 and is known for their complex tactics.
The Nocturnus Team found that the KGH_SPY malware appears to get into computers via Word documents containing malicious macros, and the malware includes several components used to harvest information, run arbitrary commands and spy on the user activities by way of a keylogger and a backdoor component that allows a hacker to gain direct access to a computer.
Most troubling, Cybereason reported, is that some of the components of the KGH Spyware suite remain undetected by antivirus companies and therefore are not checked by antivirus programs.
“Kimsuky has a rich and notorious history dating back to 2012 of targeting South Korea, but over the past few years they have expanded their global reach,” said Assaf Dahan, head of Threat Research at Cybereason.
“Our newest discovery shows Kimsuky carrying out targeted cyber espionage campaigns,” Assaf said. “Since the new malware is quite new, the true scope of the threat it poses is unknown, but given Kimsuky’s track record this spyware is likely to be of serious concern to both public and private sector organizations.”
“In recent years, the threat of cyber espionage and warfare has been increasing as capabilities to attack and hack software have been outpacing abilities to protect ourselves,” Israel’s Calcalist business news website reported. “With abilities to tank stock markets, adjust presidential election results, or steal private information for ransomware attacks, the threat has never been more pressing.”