A sophisticated Advanced Persistent Threat (APT) operation named Larva-24005, linked to the notorious Kimsuky threat group, has been discovered actively exploiting critical vulnerabilities in Remote Desktop Protocol (RDP) and Microsoft Office applications to compromise systems across multiple sectors and countries. After establishing initial access through these exploits, the attackers deploy a sophisticated arsenal of malware including MySpy and RDPWrap to maintain persistent remote access to compromised systems. ASEC analysts identified multiple specialized tools deployed by Larva-24005 during their investigation, including two variants of RDP vulnerability scanners, custom droppers, and keyloggers designed to exfiltrate sensitive information. MySpy collects system information while RDPWrap manipulates Windows system settings to enable remote connections, even on systems where such functionality would normally be restricted. The threat actors primarily leverage two critical vulnerabilities: BlueKeep (CVE-2019-0708), a severe RDP vulnerability that allows remote code execution without authentication, and the Microsoft Office Equation Editor vulnerability (CVE-2017-11882). The infection chain begins with exploiting either the RDP or Office vulnerabilities, after which the threat actors deploy a dropper that installs MySpy malware and RDPWrap. The RDP scanner exists in both command-line and graphical interface variants, with the GUI version providing extensive scanning capabilities including IP range specification, connection timeout settings, and multi-threading options to maximize scanning efficiency.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 21 Apr 2025 07:50:11 +0000