A research team at Cybereason has found that Kimsuky, a cyber espionage group linked to the government of North Korea, is using a new malware strain called CSPY Downloader and spyware suite KGH_SPY to perform attacks on defense and government organizations, human rights groups and research and pharmaceutical companies working on COVID-19 vaccines and treatments.
Cybereason said Monday the company’s Nocturnus team found that the modular suite of KGH_SPY spyware tools provides hackers with backdoor, data theft, keylogging and reconnaissance capabilities, while CSPY Downloader works by downloading additional payloads and evading analysis.
Kimsuky has been using those tools to target private and public sector companies in the U.S., Japan, Europe, Russia and South Korea, according to the research team. Timestamps of malware appear to have been changed as part of efforts to undermine forensic investigation.
“Kimsuky has a rich and notorious history dating back to 2012 of targeting South Korea, but over the past few years they have expanded their global reach,” said Assaf Dahan, senior director and head of threat research at Cybereason.
“Since the new malware is quite new, the true scope of the threat it poses is unknown, but given Kimsuky’s track record this spyware is likely to be of serious concern to both public and private sector organizations,” Dahan added.