Cybereason uncovers North Korean malware used against companies around the world

Researchers at the cybersecurity firm identified a new spyware suite dubbed KGH_SPY, used by a group with North Korean ties

James Spiro 12:4702.11.20
Researchers in the cybersecurity firm Cybereason today have announced that their Nocturnus team identified a new modular spyware suite called ‘KGH_SPY’ and a new malware strain called ‘CSPY Downloader’. They believe that the spyware is being used by the cyberespionage group ‘Kimsuky’, which is understood to be operating on behalf of the North Korean regime.


The victims of the attack are members of the private and public sectors ranging from locations in the United States, Europe, Japan, South Korea, and Russia. Among them are governmental and defense organizations, journalists, human rights groups, and research companies working on coronavirus (Covid-19) remedies.


Assaf Dahan, Senior Director, Head of Threat Research at Cybereason. Photo: Cybereason. Assaf Dahan, Senior Director, Head of Threat Research at Cybereason. Photo: Cybereason.


Kimsuky, also known as Velvet Chollima, Black Banshee, and Thallium, has been active since 2012 and known for complicated infrastructures that use a mixture of free-registered domains, compromised domains, and private domains. Regarding the new KGH_SPY and CSPY Downloader discoveries, Cybereason identified that they are capable of providing the threat actors with reconnaissance, keylogging, and information stealing, all while avoiding detection from anti-virus software.


“Our newest discovery shows Kimsuky carrying out targeted cyber espionage campaigns against an array of victims including governments, research institutes and human rights groups,” said Assaf Dahan, Senior Director, Head of Threat Research at Cybereason. “Since the malware is quite new, the true scope of the threat it poses is unknown, but given Kimsuky’s track record this spyware is likely to be of serious concern to both public and private sector organizations.”



Among the findings was a new infrastructure that was registered as recently as 2019 and 2020 that overlaps with another Kimsuky malware called BabyShark. In the past, it was used to target US-based think tanks.


In recent years, the threat of cyber espionage and warfare has been increasing as capabilities to attack and hack software have been outpacing abilities to protect ourselves. With abilities to tank stock markets, adjust presidential election results, or steal private information for ransomware attacks, the threat has never been more pressing.


Cybereason is a cyber defender providing future-ready attack protection founded in 2012 by Lior Div, a former soldier of Israel's Unit 8200. It offers an endpoint solution platform to help detect and respond to attacks from around the world. It is headquartered in Boston, USA, but has offices in Tel Aviv, London, and Tokyo.