150/68 Wednesday, April 23, 2025
Cybersecurity researchers from AhnLab Security Intelligence Center (ASEC) in South Korea have detected a new cyberattack campaign linked to Kimsuky, a North Korean threat actor. The group is exploiting the BlueKeep vulnerability (CVE-2019-0708) in Microsoft Remote Desktop Services (RDP) to breach systems in South Korea and Japan. This campaign, dubbed Larva-24005, leverages the wormable BlueKeep vulnerability, which has a CVSS score of 9.8, allowing unauthenticated Remote Code Execution (RCE) via specially crafted RDP requests. Although Microsoft released a patch in May 2019, unpatched systems remain exposed and are actively being exploited. Additionally, attackers are using phishing emails with malicious attachments that exploit CVE-2017-11882 in Microsoft Equation Editor to gain system access through another vector.
After initial access, Kimsuky deploys a dropper to install the MySpy malware, and utilizes RDPWrap to enable remote RDP access. They also modify system settings to facilitate external control. MySpy gathers system information from the target, after which the attackers install keyloggers such as KimaLogger and RandomQuery to capture keystrokes and user activity on the compromised machines.
This campaign has been active since October 2023, primarily targeting organizations in South Korea’s software, energy, and financial sectors. Victims have also been identified globally, including in the United States, China, Germany, Singapore, South Africa, Netherlands, Mexico, Vietnam, Belgium, United Kingdom, Canada, Thailand, and Poland. These findings highlight Kimsuky’s aggressive posture, high capability, and ongoing efforts to expand its operations on a global scale.
Source https://thehackernews.com/2025/04/kimsuky-exploits-bluekeep-rdp.html
