Russian Security Firm Kaspersky Lab has revealed that it has been following a sustained attack on South Korea by hackers seemingly based in North Korea.,

This new Cyber Espionage campaign dubbedhas targeted several South Korean think tanks. Rand used multiple Dropbox email accounts

esearchers believe the Kimsuky malware is most likely delivered via spear-phishing e-mails

"It's interesting that the drop box mail accounts iop110112@hotmail.com and rsh1213@hotmail.com are registered with the following "kim" names: kimsukyang and "Kim asdfa "

"It's interesting that the drop box mail accounts iop110112@hotmail.com and rsh1213@hotmail.com are registered with the following "kim" names: kimsukyang and "Kim asdfa "

The Kaspersky researchers revealed that the operation presents distinctive characteristics in its execution and logistics. The investigation started after the team of experts detected an unsophisticated spy program that communicated with it control server via a public e-mail server, an approach followed by too many amateur malware authors.

has the ability to perform the following espionage functions including keystroke logging, directory listing collection, remote control access and HWP document theft.

Victims download a Trojan dropper which is used to download additional malware, which has the ability to perform the following espionage functions including keystroke logging, directory listing collection, remote control access and HWP document theft.

The " rsh " word, by all appearances, means a shortening of "Remote Shell" and the Korean words can be translated in English as "attack" and "completion", i.e.:

Espionage campaign appears to be originated in North Korea. The researchers identified 10 IP addresses indicating that the attackers used networks in China's Jilin and Liaoning provinces, which border North Korea.





Attackers were interested in targeting 11 organizations based in South Korea and two entities in China including the Sejong Institute, Korea Institute For Defense Analyses (KIDA), South Korea's Ministry of Unification, Hyundai Merchant Marine and The supporters of Korean Unification.

At system startup, the basic library disables the system firewall and any firewall produced by the South Korean security product vendor AhnLab. The malware does not include a custom back door, instead the attackers modified a TeamViewer client as a remote control module.Bot agents communicate with C&C through the Bulgarian web-based free email server (mail.bg), it maintains a hard coded credentials for its e-mail account. After authenticating, the malware sends emails to another specified email address, and reads emails from the Inbox.