APT Kimusky group changes strategy: malware spread via LNK

The cybercriminal group known as Kimuskyconsidered close to North Koreais proposing new diffusion tactics malwareworrying security experts quite a bit.

The collective has been active since 2013 and is known to frequently target infrastructure, companies and entities related to South Korea. Despite this, since 2017, hackers have increasingly shown interest in other countries too.

As a rule, Kimusky was a group that used documents, often file formats of Microsoft Office, to spread their malicious agents. In the last period, however, the experts ofASEC they noticed a clear change of direction, with the adoption of Malicious LNK files.

Malicious LNK files and “custom” malware: here are Kimusky’s new strategies

The group in question works mainly with attacks spear phishingwith purposes more related to espionage than to obtain monetary gain from their activities. The main vector, apparently, always remains the same, that is email attachmentsit directly malicious links included in the text of the message itself.

Kimusky’s modus operandi is quite simple, after infecting the device, it acts by installing malware that allows remote control. Depending on the case, cybercriminals opt for specific malicious agents, such as AppleSeed o PebbleDash or other open source malware like XRat, HVNC, RftRAT o Ready. The latter are very often specifically modified to be more functional with respect to a specific objective.

Note how hackers often exploit the remote desktop protocols (RDP) or install Chrome Remote Desktop by Google to exfiltrate information from compromised systems. More recently, the use of has been identified in some operations AutoIt, a new scripting language. This latest behavior demonstrates, if any were needed, how Kimusky cybercriminals are continually looking for new strategies for their criminal activities.


Please enter your comment!
Please enter your name here