Cybereason Uncovers North Korean Malware Targeting Government Agencies

Researchers from the Israeli cybersecurity Cybereason announced earlier this week that their Nocturnus team has identified a newly discovered modular spyware suite called KGH_SPY and a new malware strain called CSPY Downloader. The researchers claim the spyware is being employed in attacks by cyber espionage group Kimsuky, which is believed to be operating on behalf of the North Korean regime.

The group has targeted “a wide array of victims” that include public and private sector companies in the US, Europe, Japan, South Korea, and Russia, the announcement said. Organizations that were targeted include government and defense organizations, journalists, human rights groups, and pharmaceutical and research companies working on COVID-19 therapies.

The researchers discovered that KGH_SPY is a modular suite of tools that provides the threat actors with reconnaissance, keylogging, information stealing, and backdoor capabilities and that CSPY Downloader is designed to evade analysis and download additional payloads.

Kimsuky, also known as Velvet Chollima, Black Banshee and Thallium, has been active since 2012 and is known for complex infrastructure that use free-registered domains, compromised domains, and private domains registered by the group.

Cybereason’s Nocturnus Team also observed operational infrastructure that overlaps with BabyShark malware that was used in the past to target US-based think tanks and has connections to malware such as the AppleSeed backdoor.

“Kimsuky has a rich and notorious history dating back to 2012 of targeting South Korea, but over the past few years, they have expanded their global reach. Our newest discovery shows Kimsuky carrying out targeted cyber espionage campaigns against an array of victims including governments, research institutes, and human rights groups,” said Assaf Dahan, senior director and head of threat research at Cybereason. “Since the new malware is quite new, the true scope of the threat it poses is unknown, but given Kimsuky’s track record this spyware is likely to be of serious concern to both public and private sector organizations.”

Founded in 2012, Cybereason is a champion for today’s cyber defenders providing future-ready attack protection that unifies security from the endpoint, to the enterprise.

The company is headquartered in Boston, USA, but has offices in Tel Aviv, London, and Tokyo.