Kaspersky Lab’s security research team published a report of a campaign named Kimsuky that analyzes an active cyber-espionage campaign primarily targeting South Korean think-tanks.
According to technical analysis, attackers were interested in targeting 11 organizations based in South Korea and two entities in China.
The earliest signs of this threat actor's activity date back to the 3rd of April 2013, and the first Kimsuky Trojan samples appeared on the 5th of May 2013. Although the initial delivery mechanism remains unknown, Kaspersky researchers believe the Kimsuky malware is most likely delivered via spear-phishing e-mails and has the ability to perform espionage functions. The attackers are using a modified version of the TeamViewer remote access application to serve as a backdoor to hijack any files from the infected machines.
The Kimsuky malware contains a dedicated malicious program designed for stealing HWP files, which suggests that these documents are one of main objectives of the group.
Another interesting “geo-political” feature of Kimsuky malware is that it only disables security tools from AhnLab, a South Korean anti-malware company.
Kaspersky Lab’s products detect and neutralize these threats as Trojan.Win32.Kimsuky, and modified TeamViewer client components are detected as Trojan.Win32.Patched.ps.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.