The North Korean state-sponsored group Kimsuky has been observed leveraging a critical vulnerability in Microsoft Remote Desktop Services to gain unauthorized access to targeted systems.
According to a report from the AhnLab Security Intelligence Center (ASEC), the campaign, dubbed ‘Larva-24005,’ involves the exploitation of CVE-2019-0708, a high-severity flaw commonly referred to as BlueKeep patched by Microsoft in May 2019. The vulnerability enables remote code execution and has been previously flagged as “wormable,” meaning it can self-propagate between vulnerable systems.
In addition to the BlueKeep exploit, Kimsuky is also using phishing emails to deliver payloads that exploit another known vulnerability - CVE-2017-11882, a remote execution issue in Microsoft Office's Equation Editor. The vulnerability allows attackers to execute arbitrary code by luring victims into opening specially crafted documents.
Once inside a network, the attackers deploy a multi-stage malware toolkit, which includes a surveillance tool called ‘MySpy’ that gathers system data, the RDPWrap utility that enables multiple remote desktop sessions, as well as the KimaLogger and RandomQuery keyloggers. The threat actor also modifies system settings to enable RDP access, ensuring long-term persistence and potential lateral movement within networks.
The campaign has been ongoing since October 2023, with a primary focus on South Korean and Japanese organizations in the software, energy, and financial sectors. However, targets were observed in the United States, China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand, and Poland.