Another CloudDragon attack abusing VPN zero-day vulnerability to target South Korean entities

The North Korean APT group CloudDragon, also known as Kimsuky, continues to target South Korean governments and organizations. TeamT5 has been actively monitoring this threat actor and we recently discovered CloudDragon abusing VPN zero-day vulnerability to launch a new attack against South Korean entities.

TeamT5 recently discovered two malicious samples circulating in South Korea, and both samples are installers of a newly identified backdoor which we named MemzipRAT. With further investigation, we believe this attack was aiming at a South Korean company in the aerospace sector. The company is part of a top 10 conglomerate in South Korea, whose business includes aerospace, chemicals, financial services, IT, etc.

In fact, CloudDragon has been accused of using VPN vulnerabilities to attack numerous entities recently, including Korean government agencies. According to TeamT5’s threat intelligence, we hold high confidence that the above malware to be follow-up attacks of the disclosed attack campaign conducted by CloudDragon. As the exploitation starts from a popular VPN system, these campaigns might lead to massive attacks and damage in the near future. And TeamT5 will keep taking careful attention to CloudDragon's recent campaign for it might end up a severe supply chain attack.

*Image courtesy of Pixabay