APT Group Profiles – Larva-24005
1) Introduction
During the breach investigation process, the AhnLab SEcurity intelligence Center (ASEC) discovered a new operation related to the Kimsuky group and named it Larva-24005.1 The threat actors exploited the RDP vulnerability to infiltrate the system. They then changed the system configuration by installing the MySpy malware and RDPWrap to create a continuous remote access environment. They also infected the system with a keylogger that records the user’s keyboard inputs.
The threat information identified through forensic analysis has been made public by the ATIP. The information includes the following cases: “Kimsuky Threat Actor Group’s Exploitation of BlueKeep Vulnerability to Breach and Leak Information from Korean Systems” [2] and “Larva-24005 Threat Actor Group’s Use of a Korean Server as Their Main C2” [3].
2) Targets and Cases
These threat actors have been attacking South Korea’s software, energy, and financial industries since October 2023 and have been sending phishing emails to South Korea and Japan. Through the analysis of the infrastructure used in the attacks, it was confirmed that these threat actors have been attacking South Korea, the United States, China, Japan, Germany, Singapore, and other countries such as South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand, and Poland since September 2023.
3) Attack Method
In some systems, initial access was gained through exploiting the RDP vulnerability (BlueKeep, CVE-2019-0708). While an RDP vulnerability scanner was found in the compromised system, there is no evidence of its actual use. The threat actor also used other means to distribute the malware, such as attaching the same file to emails and exploiting the Microsoft Office Equation Editor vulnerability (CVE-2017-11882)[1].
After gaining access to the system, the threat actor used a dropper to install MySpy malware and RDPWrap, and modified the system settings to allow RDP access.
In the final stage, the threat actor infected the system with KimaLogger or RandomQuery keyloggers to collect the keys that the user enters.
Email logs show that phishing emails were sent to victims in Korea and Japan from some of the systems used in the attack.
The Diamond Model of Larva-24005 is as follows:
|
Item |
Description |
|
Adversary |
Larva-24005 |
|
Vulnerability |
BlueKeep (CVE-2019-0708) |
|
Techniques |
Spear Phishing Email, RDP Access |
|
Victim |
South Korean Software Companies, Energy, Finance |
|
Malware and Tools |
RDP Wrap, MySpy |
|
Infrastructure |
Using r-e.kr and kro.kr Domains |
Table 1. Diamond Model
Main Malware and Tools
The following are the main malware used by this threat group. Note that the stages are based on theoretical concepts, not actual operational steps, so there may be some differences from actual attacks.
|
Name |
Description |
|
RDPScanner Type A |
CLI (Command-Line Interface) RDP vulnerability scanner |
|
RDPScanner Type B |
GUI (Graphic User Interface) RDP vulnerability scanner |
|
Downloader |
Downloader |
|
Dropper |
DroppeR Creates RDPWrap and MySpy Malware |
|
RDPWrap |
Remote Control |
|
MySpy |
Estimation of System Information Collection |
|
RDPEnabler |
Changed RDP-related settings in the system |
|
RDPLoader |
RDPWrap Loader |
|
KimaLogger |
Keylogger |
|
RandomQuery |
Keylogger |
Table 2. Key malware and tools
1) Infiltration
Multiple RDP vulnerability scanning tools for initial access were found. While some of these tools were used in actual attacks, most were found to be stored in infected systems without being used.
(1) RDPScanner CLI Type
Discovered in the system that was attacked using the RDP (CVE-2019-0708) vulnerability scanning tool, but it has not been confirmed whether this tool was used for the initial access. The Atk.txt and Sea.txt files are required for execution, but these files could not be secured.
(2) RDPScanner GUI Type
A tool for scanning the RDP vulnerability (CVE-2019-0708) in a graphical user interface (GUI) format. It reads the IP list from a text file and performs the scanning. The scan results are stored in the RDP_result.txt file in the tool’s execution path.
The following are the variants developed from 2019 to 2024.
[1] https://asec.ahnlab.com/en/74073/
[1] https://atip.ahnlab.com/intelligence/view?id=4464854f-8bb1-443f-b93a-971cb94451f4
[2] https://atip.ahnlab.com/intelligence/view?id=cce9edd9-911b-49da-8726-b46b9d5a9cb2
[3] https://atip.ahnlab.com/intelligence/view?id=4464854f-8bb1-443f-b93a-971cb94451f4
