Delaware, USA – March 4, 2020 – North Korean APT group conducts a cyber-espionage campaign using new malware implants updated after their recent analysis. Kimsuky APT has been active since at least September 2013 targeting South Korean think tank as well as DPRK/nuclear-related targets. Cybaze-Yoroi ZLab analyzed the sample discovered on February 28 and compared tools used in the ongoing campaign to the dropper described in the recent research of ESTsecurity firm.
“Unlike other APT groups using long and complex infection chains, the Kimsuky group leverages a shorter attack chain, but at the same time, we believe it is very effective in achieving a low detection rate. The infection starts with a classic executable file with “scr” extension, an extension used by Windows to identify Screensaver artifacts. In the following table are reported some information about the sample,” researchers said. “Upon execution, the malware writes a file named “
You can also explore the MITRE ATT&CK section to learn more about the techniques used by the group and find relevant content to detect them: https://tdm.socprime.com/att-ck/