The North Korea-linked Kimsuky hacking group has been attributed to a brand new social engineering assault that employs fictitious Fb accounts to targets by way of Messenger and finally delivers malware.
“The threat actor created a Facebook account with a fake identity disguised as a public official working in the North Korean human rights field,” South Korean cybersecurity firm Genians mentioned in a report printed final week.
The multi-stage assault marketing campaign, which impersonates a reputable particular person, is designed to focus on activists within the North Korean human rights and anti-North Korea sectors, it famous.
The method is a departure from the everyday email-based spear-phishing technique in that it leverages the social media platform to method targets by way of Fb Messenger and trick them into opening seemingly personal paperwork written by the persona.
The decoy paperwork, hosted on OneDrive, is a Microsoft Widespread Console doc that masquerades as an essay or content material associated to a trilateral summit between Japan, South Korea, and the U.S. — “My_Essay(prof).msc” or “NZZ_Interview_Kohei Yamamoto.msc” — with the latter uploaded to the VirusTotal platform on April 5, 2024, from Japan.
This raises the chance that the marketing campaign could also be oriented towards concentrating on particular folks in Japan and South Korea.
Using MSC information to drag off the assault is an indication that Kimsuky is using unusual doc varieties to fly underneath the radar. In an additional try to extend the probability of success of the an infection, the file is disguised as an innocuous Phrase file utilizing the phrase processor’s icon.
Ought to a sufferer launch the MSC file and consent to opening it utilizing Microsoft Administration Console (MMC), they’re displayed a console display containing a Phrase doc that, when launched, prompts the assault sequence.
This entails operating a command to determine a reference to an adversary-controlled server (“brandwizer.co[.]in”) to show a doc hosted on Google Drive (“Essay on Resolution of Korean Forced Labor Claims.docx”), whereas extra directions are executed within the background to arrange persistence in addition to gather battery and course of info.
The gathered info is then exfiltrated to the command-and-control (C2) server, which can be able to harvesting IP addresses, Person-Agent strings, and timestamp info from the HTTP requests, and delivering related payloads as essential.
Genians mentioned that a few of the ways, strategies, and procedures (TTPs) adopted within the marketing campaign overlap with prior Kimsuky exercise disseminating malware similar to ReconShark, which was detailed by SentinelOne in Could 2023.
“In the first quarter of this year, spear phishing attacks were the most common method of APT attacks reported in South Korea,” the corporate famous. “Although not commonly reported, covert attacks via social media are also occurring.”
“Due to their one-on-one, personalized nature, they are not easily detected by security monitoring and are rarely reported externally, even if the victim is aware of them. Therefore, it is very important to detect these personalized threats at an early stage.”
