A new malicious cyber campaign linked to Kimsuky, a North Korean state-backed threat group, has been uncovered by cybersecurity researchers. The campaign uses an already-patched vulnerability in Microsoft Remote Desktop Services (RDS) to gain initial system access. This activity, tracked as Larva-24005 by AhnLab Security Intelligence Center (ASEC), leverages the BlueKeep vulnerability (CVE-2019-0708) to compromise targets. While an RDP vulnerability scanner was found on infected systems. There’s no direct evidence that it was used during the attacks, ASEC noted.
Wormable RDP Bug Used for Entry into BlueKeep
CVE-2019-0708 is a critical remote code execution flaw in RDS that was patched by Microsoft in May 2019. With a CVSS score of 9.8, the bug is considered wormable. Attackers can exploit it by sending crafted RDP requests to vulnerable systems. If successful, this can allow them to execute programs, access sensitive data, or create new accounts with admin privileges.
Aside from exploiting BlueKeep, Kimsuky has also been seen using phishing emails. These emails carry documents that exploit a separate bug in Microsoft Equation Editor (CVE-2017-11882, CVSS score: 7.8), further broadening their access methods.
Malware Tools and Global Targets
Once inside, the attackers deploy a dropper to install a spyware program called MySpy and an RDP modification utility known as RDPWrap. MySpy is designed to gather system-level information. They also tweak system settings to enable Remote Desktop access.
In the final stage, the group deploys keylogging malware like KimaLogger and RandomQuery, allowing them to monitor and steal keystrokes from infected machines.
The campaign, active since October 2023, has mainly targeted South Korean and Japanese entities in software, energy, and finance. However, its scope has extended globally, with victims also reported in the U.S., China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the U.K., Canada, Thailand, and Poland.
