The campaign was first spotted by Kaspersky Lab in April 2013, with the first associated malware found in May. It uses unsophisticated spyware that communicates via a public e-mail server; and was nearly ignored. "This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored," notes Kaspersky's Dmitry Tarakanov in a blog published yesterday.
But two things made the researcher take a closer look: the mail server is in Bulgaria, while the compilation path string contains Korean hieroglyphs; that is, "Korean compilers alongside Bulgarian e-mail command-and-control communications."
What he found was the early stages of an unsophisticated but extensive and highly targeted campaign. While it is difficult to define origins with absolute certainty, this is almost certainly a North Korean campaign targeted specifically at South Korean institutions.
'Clues' include the targets themselves -- such as the Korea Institute For Defense Analyses (KIDA), the Ministry of Unification, and The Sejong Institute. The two 'master' email accounts that control the campaign are registered by kimsukyang and 'Kim asdfa;' and their ten located IP addresses are all registered in the two Chinese provinces adjacent to North Korea. "No other IP-addresses have been uncovered that would point to the attackers’ activity and belong to other IP-ranges," says Tarakanov. "Interestingly, the ISPs providing internet access in these provinces are also believed to maintain lines into North Korea."
None of this is proof. But there is more circumstantial evidence. "At system startup" he reports, "the basic library disables the system firewall and any AhnLab firewall." AhnLab is a major South Korean security firm. "During our [earlier] Winnti research, we learnt that one of the Korean victims was severely criticized by South Korean regulators for using foreign security products. We do not know for sure how this criticism affected other South Korean organizations, but we do know that many South Korean organizations install AhnLab security products. Accordingly, these attackers don’t even bother evading foreign vendors’ products, because their targets are solely South Korean."
And finally, there is the activity of the malware itself. "Any opened .HWP document," says Tarakanov, "is read and sent as an e-mail attachment with the subject “Hwp” to the attackers." HWP is a file format similar to Microsoft Word but part of the Hancom Office suite that is widely used in South Korea.
The cumulative effect of all of these pointers suggests, but doesn't actually prove, that Kimsuky is a new malware campaign originating in North Korea and specifically targeting South Korea.