Analysis Summary

The Larva-24005 campaign, attributed to the North Korea-linked Kimsuky APT group, marks a notable escalation in their cyber operations, beginning in September 2023. The group targets critical vulnerabilities, specifically BlueKeep (CVE-2019-0708) in Remote Desktop Protocol (RDP) and the Microsoft Office Equation Editor flaw (CVE-2017-11882,) to gain unauthorized access to systems without user interaction. These exploits enable remote code execution, allowing attackers to compromise systems stealthily and efficiently. Victims of this campaign span multiple sectors, including software, energy, and finance, with a primary focus on South Korea, although infections have also been observed in the U.S., China, Japan, Germany, Singapore, and beyond.

Once access is obtained through either RDP or Microsoft Office vulnerabilities, the attackers deploy a custom dropper that installs two core malware components: MySpy and RDPWrap. MySpy is responsible for gathering detailed system information, while RDPWrap modifies Windows system configurations to enable persistent RDP access, bypassing native restrictions. The attackers use these tools to ensure they can remotely control the infected machines for extended periods without detection.

According to the Researcher, the campaign utilizes an advanced suite of tools, including two distinct RDP vulnerability scanners (CLI and GUI-based), customized droppers, and keyloggers. The GUI version of the scanner offers rich functionality, such as IP range scanning, timeout customization, and multi-threading to enhance the discovery of vulnerable targets. Although several RDP scanning tools were present on infected systems, not all were actively used, suggesting a modular toolkit tailored to specific attack scenarios.

Persistence is achieved via registry key modifications under the Windows shell startup path, ensuring malware execution upon reboot. In the final phase of the infection chain, keyloggers such as KimaLogger or RandomQuery are deployed to capture user keystrokes and sensitive input data. This comprehensive attack framework showcases Kimsuky’s evolving tradecraft, emphasizing their ability to blend zero-click exploits, custom tool development, and stealthy persistence techniques to expand their operational footprint globally.

Impact

• Unauthorized Access
• Code Execution
• Security Bypass

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Immediately apply security patches for CVE-2019-0708 (BlueKeep) and CVE-2017-11882 (Microsoft Office Equation Editor).
• Ensure all systems are regularly updated with the latest Microsoft security updates.
• Disable Remote Desktop Protocol (RDP) on systems where it is not explicitly required.
• Block RDP (TCP/3389) at the network perimeter using firewalls or access control lists.
• Restrict RDP access to specific IP addresses using VPNs or network segmentation.
• Implement multi-factor authentication (MFA) for all remote access services.
• Deploy reputable endpoint detection and response (EDR) solutions to monitor and block malware like MySpy and keyloggers such as KimaLogger.
• Use intrusion detection/prevention systems (IDS/IPS) to detect unusual RDP activity or exploitation attempts.
• Regularly audit registry keys (especially under shell startup paths) for unauthorized modifications.
• Use behavioral analysis tools to detect persistence mechanisms and abnormal startup entries.
• Develop and practice an incident response plan specific to remote access exploitation.
• Isolate and investigate compromised systems immediately to prevent lateral movement.
• Educate staff about phishing, malicious documents, and remote access risks.
• Encourage users to report suspicious documents or unexpected remote login prompts.
• Disable or limit Office macro execution through group policies or configuration settings.
• Use Protected View and Block macros from the internet where possible.
• Monitor threat feeds and security advisories related to Kimsuky and similar APTs.
• Proactively hunt for Indicators of Compromise (IOCs) related to MySpy, RDPWrap, and associated tools.