A sophisticated Advanced Persistent Threat (APT) operation named Larva-24005, linked to the notorious Kimsuky threat group, has been discovered actively exploiting critical vulnerabilities in Remote Desktop Protocol (RDP) and Microsoft Office applications to compromise systems across multiple sectors and countries.
The campaign, which began in September 2023, represents a significant evolution in the group’s tactics, techniques, and procedures.
The threat actors primarily leverage two critical vulnerabilities: BlueKeep (CVE-2019-0708), a severe RDP vulnerability that allows remote code execution without authentication, and the Microsoft Office Equation Editor vulnerability (CVE-2017-11882).
.png
)
After establishing initial access through these exploits, the attackers deploy a sophisticated arsenal of malware including MySpy and RDPWrap to maintain persistent remote access to compromised systems.
The attacks have primarily targeted South Korea’s software, energy, and financial industries, though victims in the United States, China, Japan, Germany, Singapore, and several other countries have also been identified.
The campaign represents a concerning expansion of Kimsuky’s operational reach and capabilities, demonstrating their continued development of custom malware and exploitation techniques.
ASEC analysts identified multiple specialized tools deployed by Larva-24005 during their investigation, including two variants of RDP vulnerability scanners, custom droppers, and keyloggers designed to exfiltrate sensitive information.
The researchers noted that while several RDP scanning tools were discovered on infected systems, not all appeared to have been actively deployed in attacks.
The infection chain begins with exploiting either the RDP or Office vulnerabilities, after which the threat actors deploy a dropper that installs MySpy malware and RDPWrap.
System settings are then modified to enable persistent RDP access, creating a stable backdoor. In the final stage, keyloggers named KimaLogger or RandomQuery are deployed to capture user inputs.
Technical Analysis of Infection Mechanism
The initial access vector varies depending on the target. For RDP-based attacks, the group uses specialized scanning tools to identify vulnerable systems.
.webp)
The RDP scanner exists in both command-line and graphical interface variants, with the GUI version providing extensive scanning capabilities including IP range specification, connection timeout settings, and multi-threading options to maximize scanning efficiency.
After successful exploitation, the dropper creates and executes both the MySpy information-gathering malware and RDPWrap components.
MySpy collects system information while RDPWrap manipulates Windows system settings to enable remote connections, even on systems where such functionality would normally be restricted.
The attackers maintain persistence through registry modifications under the Windows shell startup key, ensuring their toolset remains active across system reboots.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
