New Kimsuky Spyware Module Makes KGH Malware More Powerful and Stealthy to Hack Systems

The researchers affirmed that all the new findings have arisen and developed the threat group’s spyware skills and abilities. New Kimsuky modules make the KGH malware more strong and stealthy; as various security teams have investigated this APT group.

This is a recently detected malware module soon after the US government published an advisory regarding a “global intelligence gathering mission” managed by North Korean state-sponsored hackers. 

However, this malware is first detected by the Kaspersky researcher in 2013. But, now its activity was described and analyzed by ESTsecurity and also by the research team at Cybaze ZLab.

Kimsuky Infrastructure

Kimsuky has been active since 2013, but it was being updated recently with all new features. This malware is famous for its complex infrastructure that uses free-registered domains, negotiated domains, and private domains that have been registered by the group.

Kimsuky is deliberately using an array of malware in its every operation. However, the infrastructure of the malware that has been used by Kimsuky can be traced by utilizing some pattern outline of the URI structures practiced by their tools.

KGH Spyware Suite

Earlier, the Cybereason Nocturnus identified a new malware suite entitled “KGH” this malware includes several modules that worked as spyware. In research by Ahnlab, a possible link to North Korean attacks has been detected in 2017 that directly refers to the name “KGH.” However, it’s still unclear whether it is associated with the same malware authors or not. 

Targets

The target that are included in this malware are mentioned below:-

  • Pharmaceutical/Research companies working on COVID-19 vaccines and therapies
  • UN Security Council
  • South Korean Ministry of Unification
  • Various Human Rights Groups
  • South Korean Institute for Defense Analysis
  • Various Education and Academic Organizations
  • Various Think Tanks
  • Government Research Institutes
  • Journalists covering Korean Peninsula relations
  • South Korean Military

KGH Spyware Payloads & Commands

The payloads that are observed to be downloaded and released are mentioned below:-

  • Drops KGH backdoor and creates persistence to msic.exe and drops
  • Loads and executes msfltr32.dll
  • KGH backdoor capabilities
  • KGH-Browser Stealer

The KGH backdoor and commands are mentioned below:-

  • upf: It uploads the files to the C2
  • tre: It creates a list of all files in the system applying the “tree” command
  • wbi: It download “m.dll” browser stealer module and exfiltrates all stolen data
  • cmd: It executes a cmd shell command
  • pws: It executes a PowerShell command

Infostealer module steals Information Stored

The info stealer module steals the following stored information:-

  • Browsers: Chrome, IE / Edge, Firefox, Opera
  • WinSCP Client
  • Windows Credential Manager
  • Mozilla Thunderbird Mail Client

CSPY Downloader

The research team Nocturnus has discovered that winload.exe is a new type of a downloader, entitled “CSPY.” This downloader is included with robust evasion methods meant to assure that the “coast is clear” and the malware does not operate in any context of a virtual machine or investigating tools before it continues to download secondary payloads.

According to the researchers, the hackers have spent efforts to outlive under the radar. That’s why they have employed several anti-forensics and anti-analysis methods; so, the researchers are not clear about the victims, and this campaign continues to be unclear.

There are evidence that can imply that the infrastructure targeted the organizations that deal with human rights violations.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Also Read:

Hackers Bypass App Store Protection to Launch Fitbit Spyware that Steal Data From Watch Face

Hackers Installing Spyware on Android Devices That Masquerading as TikTok”Pro”

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

25 mins ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

2 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

4 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

4 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

8 hours ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…

9 hours ago