Threat operation Larva-24005, which is associated with North Korean state-backed advanced persistent threat group Kimsuky, has been leveraging the critical Microsoft Remote Desktop Services flaw BlueKeep, also tracked as CVE-2019-0708, and the high-severity Microsoft Office Equation Editor vulnerability, tracked as CVE-2017-11882, to infiltrate organizations in Japan and South Korea, with the latter's financial, energy, and software sectors targeted since October 2023, The Hacker News reports.
Initial access to targeted systems was then exploited by Larva-24005 to deploy the MySpy malware and RDPWrap tool to enable system data gathering and system setting modifications for RDP access, respectively, before the eventual delivery of the KimaLogger and RandomQuery keyloggers, according to an analysis from the AhnLab Security Intelligence Center. Aside from Japan and South Korea, Larva-24005 has also been observed to compromise organizations in the U.S., Canada, Mexico, China, Thailand, Vietnam, Singapore, South Africa, Belgium, Poland, Germany, the Netherlands, and the UK.
Initial access to targeted systems was then exploited by Larva-24005 to deploy the MySpy malware and RDPWrap tool to enable system data gathering and system setting modifications for RDP access, respectively, before the eventual delivery of the KimaLogger and RandomQuery keyloggers, according to an analysis from the AhnLab Security Intelligence Center. Aside from Japan and South Korea, Larva-24005 has also been observed to compromise organizations in the U.S., Canada, Mexico, China, Thailand, Vietnam, Singapore, South Africa, Belgium, Poland, Germany, the Netherlands, and the UK.
