KGH Malware

KGH Malware Description

Infosec researchers have detected a new attack campaign attributed to the North Korean hacker group Kimsuky. The campaign was linked to the group thanks to the use of domains registered to the same IP address that has been recorded as part of the attacks involving the BabyShark and AppleSeed malware previously. The hackers have focused their attack on COVID-19 vaccine researchers primarily, but other targets have been detected, as well, such as the South Korean government, UN Security Council, research institutions and journalists.

Although some of the Command-and-Control (C2, C&C) infrastructure may have been reused, the malware being propagated is brand new. Dubbed KGH, it is a potent info-collector that is being distributed through phishing emails carrying poisoned Word documents. The malware-laced docs are designed to pretend to have intriguing content, such as an interview with a North Korean defector, to encourage the targeted users to engage with them. Other documents supposedly contain a letter addressed to Shinzo Abe, the former Prime Minister of Japan.

During the first stage of the attack chain, a custom loader called CSPY by the researchers at Cybereason is deployed. It is tasked with carrying out several anti-analysis and anti-VM measures ensuring that the malware is not being run in a sandbox environment. The KGH Malware also manipulates its timestamps and file compilation by shifting them back to 2016, another effort against potential analysis by cybersecurity specialists.

As for KGH itself, it is comprised of several data-collecting modules. Before it begins to execute its threatening functionality, the malware threat renames its binaries and then deletes the original files with the main payload pretending to be a legitimate Windows service. To gain elevate privileges on the compromised system, KGH can perform a bypass technique for Windows' User Account Control service through the SilentCleanup task. Once fully deployed, the KGH Malware can obtain data from Web browsers, mail clients, WINSCP and Windows Credential Manager.