Security researchers have discovered new North Korean malware being used to drive information-stealing attacks against COVID-19 vaccine makers and other targets.
Cybereason Nocturnus said it had been able to track new attack infrastructure linked to the prolific Kimsuky group via BabyShark and AppleSeed malware previously attributed to it.
The new domains created as part of this push were all registered to the same IP address responsible for BabyShark attacks, the vendor said.
Whilst investigating, it uncovered a new malware suite dubbed “KGH” spread via weaponized Word documents in phishing emails and containing multiple spyware modules. Recipients are encouraged to open the attachment, which purports to contain either an interview with a North Korean defector or a letter addressed to former Japanese Prime Minister, Shinzo Abe.
KGH’s infostealer module, which remained undetected by AV tools at the time of writing, harvests data from browsers, Windows Credential Manager, WINSCP and mail clients.
Separately, Cybereason detected a new downloader, “CSPY,” which it said “is packed with robust evasion techniques meant to ensure that the ‘coast is clear’ and that the malware does not run in a context of a virtual machine or analysis tools before it continues to download secondary payloads.”
After payloads are downloaded they are removed and renamed, the main payload masquerades as a legitimate Windows service, and exploits a known UAC bypass technique using the SilentCleanup task to execute the binary with elevated privileges.
Cybereason uncovered additional efforts designed to confound white hat researchers, including the manipulation of timestamps and file compilation data to thwart forensics. In this case, most files were falsely backdated to 2016.
Alongside COVID-19 vaccine makers, the group has apparently targeted the UN Security Council, South Korean government, research institutes, think tanks, journalists and the military.