You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>THE</strong> KIMSUKY SYSTEM<br />
The Kimsuky malware complex was originally detailed in a report from Kaspersky (14) in 2013 and has been an<br />
active component of the South Korean threat landscape since then. Ahnlab reported a new campaign in Feb 2014<br />
(15), and an intrusion attempt into South Korean nuclear facilities in Dec 2014 was also identified to involve<br />
Kimsuky (16).<br />
The Kimsuky malware is different in structure from the Destover complex. It uses different encoding schemes and<br />
algorithms than Destover, and email and FTP is used for C&C communication and exfiltration.<br />
Similar to Destover, Kimsuky has used HWP exploits as infection vector. A number of samples rely on<br />
vulnerabilities in the old OLE2-based HWP file format. However, they have not, as far as we have seen, used the<br />
recent CVE-2015-6585 HWPX vulnerability which has been used to plant at least three variants of Destover.<br />
There are some similarities in modus operandi, such as<br />
• Encoded API usage.<br />
• Frequent code hand-modifications between samples<br />
• Malware installed as services<br />
• Taunting the victim in public fora<br />
• Posing as hacktivist groups (17)<br />
• Publication of stolen data (17)<br />
Based on the available data we cannot say that the Kimsuky-based campaigns are connected to the DarkSeoul<br />
group.<br />
<strong>THE</strong> BLACKMINE SYSTEM<br />
Blackmine is a South Korean focused malware campaign detailed by Ahnlab (18).<br />
The payload malware in question is a data harvester and uploader, which also allows for download of more<br />
malware. In the same way as Kimsuky, there are some similar approaches with Destover – the usage of obfuscated<br />
API names for example – but also enough differences to say that Blackmine probably has not originated from the<br />
same codebase. Ahnlab does however state that they see these groups as possibly correlated.