KGH Malware

North Korea's most infamous Advanced Persistent Threat (APT) group, Lazarus, is still going after companies and organizations are involved in developing COVID19 vaccines. Their latest campaign is executed with the help of cleverly crafted spear-phishing emails, which attract the victim's interest by claiming to be addressed to the Japanese Prime Minister or stating that they were sent out by a North Korean defector. The emails usually come with a file attachment that uses a Microsoft Office extension like 'DOCX.' Unbeknown to recipients, the file is laced with a macro script meant to execute a multi-stage attack that ends with the deployment of the KGH Malware.

The KGH Malware's timestamps show that it was first compiled in 2016. However, this is the first time that the malware has been detected, dissected, and analyzed thoroughly. Cybersecurity experts reached the conclusion that the timestamps of the harmful binaries were tampered with, and the 2016 date was set by the perpetrators of the attack manually. The KGH Malware appears to function as an infostealer that also possesses functionality typical for keyloggers and backdoor Trojans. It was often used in combination with the CSPY Downloader.

KGH Malware's primary purpose is to gain persistence on the compromised machine by setting up new Registry autoruns keys. It then runs the separate modules responsible for the following features:

• Logging keystrokes.
• Downloading and executing additional malware.
• Executing remote commands via the PowerShell or Command Prompt Windows utilities.
• Collecting information from the Windows Credentials Manager, WinSCP client, Web browsers, and email clients.

As mentioned earlier in the article, the KGH Malware was employed in attacks against COVID-19 vaccine makers, as well as against the UN Security Council, various research institutes, military institutions and the South Korean government.