RDP and MS Office Vulnerabilities Abused by Kimusky in Targeted Intrusions

The AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated cyber operation dubbed “Larva-24005,” attributed to the Kimsuky group, a threat actor long associated with targeted attacks on South Korean interests.

This campaign, first observed in September 2023, has since expanded its reach to the United States, China, Japan, Germany, and several other countries, aiming primarily at sectors such as software development, energy, and finance.

According to forensic findings, the attackers exploited the Remote Desktop Protocol (RDP) vulnerability known as BlueKeep (CVE-2019-0708) for initial system access.

Although RDP vulnerability scanners were identified on compromised systems, there is limited evidence regarding their direct use for infiltration.

Once inside, the adversaries swiftly deployed a dropper to install the MySpy malware and RDPWrap, thereby enabling a persistent remote access channel for ongoing control and data exfiltration.

An additional layer of compromise came with the infection of systems using keyloggers KimaLogger or RandomQuery which were intended to covertly monitor and capture user keystrokes.

Beyond exploiting RDP, the group employed spear-phishing campaigns primarily targeting organizations in South Korea and Japan.

These emails often included attachments weaponized with the Microsoft Office Equation Editor vulnerability (CVE-2017-11882), further broadening the attack surface beyond direct network exploitation.

Analysis of the campaign’s infrastructure revealed the use of specific domains, such as r-e.kr and kro.kr, as command-and-control (C2) nodes.

Email logs and network traces also established that compromised machines participated in additional phishing campaigns, underlining the operation’s multi-use infrastructure.

Technical Arsenal and Attack Flow

A diverse set of custom and commercial tools characterized this campaign. Multiple RDP vulnerability scanners both CLI and GUI variants were found on affected systems, along with specialized downloaders, droppers, and modules for enabling and loading RDPWrap.

The dropper was pivotal, as it installed both RDPWrap and the MySpy information-stealer to gather system data.

RDPEnabler further tweaked system configurations, ensuring that RDP remained accessible for the attackers.

Keylogging was an essential part of the post-exploitation phase. The attackers deployed KimaLogger and RandomQuery to covertly collect sensitive credentials and potentially exfiltrate confidential business data.

Forensic examination confirmed that many of these tools remained on compromised machines, though not all were actively used in each breach.

The campaign reflects a clear evolution in Kimsuky’s tactics, blending legacy vulnerabilities with modern spear-phishing, custom malware, and robust C2 infrastructure to maximize persistence and evade detection.

The integration of keyloggers and system information stealers illustrates a strategic focus on credential harvesting and long-term espionage.

Threat intelligence published by AhnLab’s Threat Intelligence Platform (ATIP) has provided additional context, referencing prior cases of Kimsuky exploiting the BlueKeep vulnerability and using Korean servers as central C2 nodes for broader operations.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates