A nation-state menace actor with ties to North Korea has been linked to an ongoing marketing campaign focusing on South Korean enterprise, authorities, and cryptocurrency sectors.
The assault marketing campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group often known as Kimsuky, which can also be tracked underneath the names APT43, Black Banshee, Emerald Sleet, Glowing Pisces, Springtail, TA427, and Velvet Chollima.
“Leveraging tailor-made phishing lures written in Korean and disguised as respectable paperwork, the attackers efficiently infiltrated focused environments,” safety researchers Den Iuzvyk and Tim Peck mentioned in a report shared with The Hacker Information, describing the exercise as a “refined and multi-stage operation.”
The decoy paperwork, despatched by way of phishing emails as .HWP, .XLSX, and .PPTX information, are disguised as work logs, insurance coverage paperwork and crypto-related information to trick recipients into opening them, thereby triggering the an infection course of.
The assault chain is notable for its heavy reliance on PowerShell scripts at varied levels, together with payload supply, reconnaissance, and execution. It is also characterised by way of Dropbox for payload distribution and knowledge exfiltration.
All of it begins with a ZIP archive containing a single Home windows shortcut (.LNK) file that masquerades as a respectable doc, which, when extracted and launched, triggers the execution of PowerShell code to retrieve and show a lure doc hosted on Dropbox, whereas stealthily establishing persistence on the Home windows host by way of a scheduled process named “ChromeUpdateTaskMachine.”
One such lure doc, written in Korean, pertains to a security work plan for forklift operations at a logistics facility, delving into the protected dealing with of heavy cargo and outlining methods to make sure compliance with office security requirements.
The PowerShell script can also be designed to contact the identical Dropbox location to fetch one other PowerShell script that is chargeable for gathering and exfiltrating system data. Moreover, it drops a 3rd PowerShell script that is in the end chargeable for executing an unknown .NET meeting.
“Using OAuth token-based authentication for Dropbox API interactions allowed seamless exfiltration of reconnaissance knowledge, corresponding to system data and energetic processes, to predetermined folders,” the researchers mentioned.
“This cloud-based infrastructure demonstrates an efficient but stealthy methodology of internet hosting and retrieving payloads, bypassing conventional IP or area blocklists. Moreover, the infrastructure appeared dynamic and short-lived, as evidenced by the fast removing of key hyperlinks after preliminary levels of the assault, a tactic that not solely complicates evaluation but in addition suggests the attackers actively monitor their campaigns for operational safety.”
Securonix mentioned it was in a position to leverage the OAuth tokens to achieve further insights into the menace actor’s infrastructure, discovering proof that the marketing campaign might have been underway since September final 12 months.
“Regardless of the lacking remaining stage, the evaluation highlights the delicate methods employed, together with obfuscation, stealthy execution, and dynamic file processing, which display the attacker’s intent to evade detection and complicate incident response,” the researchers concluded.