Security researchers have flagged a fresh destructive battle related to the North Korean state-sponsored risk actor known as that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to get first access.
The activity has been named Larva-24005 by the AhnLab Security Intelligence Center ( ASEC ).
” In some systems, initial access was gained through exploiting the RDP vulnerability ( BlueKeep, CVE-2019-0708 ),” the South Korean cybersecurity company . ” While an RDP risk scanner was found in the affected system, there is no evidence of its actual use. “
( CVSS score: 9. 8 ) is a in Remote Desktop Services that could help rural code execution, allowing unauthenticated attackers to install random programs, access data, and even create new records with full user right.
Nevertheless, in order for an adversary to utilize the weakness, they would need to take a specially crafted demand to the specific system Remote Desktop Service via RDP. It was patched by Microsoft in May 2019.
Another initial access vector adopted by the threat actor is the use of embedding files that trigger another known Equation Editor vulnerability ( , CVSS score: 7. 8 ).
Once access is gained, the attackers continue to utilize a drop to install a malware stress dubbed MySpy and a RDPWrap application referred to as RDPWrap, in addition to changing system settings to allow RDP access. MySpy is designed to collect system information.
The attack culminates in the deployment of keyloggers like KimaLogger and to capture keystrokes.
The campaign is assessed to have been sent to victims in South Korea and Japan, mainly software, energy, and financial sectors in the former since October 2023. Some of the other countries targeted by the group include the United States, China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand, and Poland.