The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors to compromised systems.
“The threat actor ultimately uses a backdoor to steal information and execute commands,” the AhnLab Security Emergency Response Center (ASEC) SAYS in an analysis posted last week.
The attack chains start with an import declaration lure that is actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document.
The next stage involves opening the PDF file as a diversionary tactic, while a PowerShell script is executed in the background to launch the backdoor.
The malware, for its part, is configured to collect network information and other related data (ie, host name, user name, and operating system version) and send the encoded details to remote server.
It can also run commands, execute additional payloads, and terminate itself, making it a backdoor for remote access to the infected host.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.
Kimsuky, active since 2012, began targeting South Korean government entities, think tanks, and individuals recognized as experts in various fields, before expanding its victimology footprint to include Europe, Russia, and the US
Earlier this month, the US Treasury Department sanctioned Kimsuky for gathering intelligence to support North Korea’s strategic objectives, including geopolitical events, foreign policy, and diplomatic efforts.
“Kimsuky focused on intelligence gathering activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions,” the cybersecurity firm ThreatMon THE audience in a recent report.
The state-sponsored group was also found to be using booby-trapped URLs that, when clicked, download a fake ZIP archive disguised as an update for the Chrome browser to deploy a malicious VBScript from Google Drive that uses cloud storage as a path for data. exfiltration and command-and-control (C2).
Lazarus Group Continues Phishing on Telegram
The development comes as blockchain security company SlowMist has implicated a notorious North Korean-backed outfit called the Lazarus Group in a widespread Telegram phishing campaign targeting the cryptocurrency sector.
“Recently, these hackers have stepped up their tactics by posing as reputable investment institutions to execute phishing scams against various cryptocurrency project teams,” the Singapore-based company said. . SAYS.
After establishing the relationship, targets are tricked into downloading a malicious script under the guise of sharing an online meeting link that facilitates crypto theft.
It also follows a report from the Seoul Metropolitan Police Agency (SMPA) that accused the Lazarus sub-cluster codenamed Andariel for stealing technical information about anti-aircraft weapon systems from domestic defense companies and laundering ransomware proceeds back to North Korea.
It is estimated that more than 250 files worth 1.2 terabytes were stolen in the attacks. To cover the tracks, the enemy is said to be using servers from a local company that “rents servers to subscribers with ambiguous identities” as an entry point.
In addition, the group extorted 470 million won ($356,000) worth of bitcoins from three South Korean companies in a ransomware attack and laundered them through virtual asset exchanges such as Bithumb and Binance. It is worth noting that Andariel was involved in the deployment of the Maui ransomware in the past.