Threat actors believed to be affiliated with the Democratic People’s Republic of Korea (DPRK) have been observed using GitHub as a command and control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea.
According to Fortinet FortiGuard Labs, the attack chain includes an obfuscated Windows shortcut (LNK) file that serves as the starting point, a decoy PDF document, and a PowerShell script that prepares the next phase of the attack. These LNK files are known to be distributed through phishing emails.
As soon as the payload is downloaded, the victim sees a PDF document while the malicious PowerShell script runs silently in the background. PowerShell scripts perform analysis-resistant checks by scanning running processes related to virtual machines, debuggers, and forensic tools. If any of these processes are detected, the script will terminate immediately.
Otherwise, extract Visual Basic Script (VBScript) and set persistence using a scheduled task that launches a PowerShell payload every 30 minutes in a hidden window to avoid detection. This will automatically run the PowerShell script every time the system is restarted.
The PowerShell script then profiles the compromised host, saves the results to a log file, and extracts it to a GitHub repository created under the account “motoralis” using a hardcoded access token. GitHub accounts created as part of the campaign include ‘God0808RAMA,’ ‘Pigresy80,’ ‘entire73,’ ‘pandora0009,’ and ‘brandonleeodd93-blip.’
The script then parses specific files within the same GitHub repository to retrieve additional modules and instructions. This allows operators, armed with the trust associated with platforms like GitHub, to blend in with and maintain durable control over infected hosts.
Fortinet said previous campaigns have used LNK files to spread malware families such as the Xeno RAT. It is worth noting that the use of GitHub C2 to distribute the Xeno RAT and its variant MoonPeak was documented by ENKI and Trellix last year. These attacks are believed to be the work of a North Korean state-backed group known as Kimsuk.
“Instead of relying on complex custom malware, threat actors are using native Windows tools for deployment, evasion, and persistence,” said security researcher Carla Lin. “By minimizing the use of dropped PE files and leveraging LolBins, attackers can target a wide range of users with low detection rates.”
This disclosure comes as AhnLab details a similar LNK-based infection chain from Kimsuky that ultimately led to the deployment of a Python-based backdoor.
As before, the LNK file runs a PowerShell script and creates a hidden folder in the “C:\windirr” path to stage a payload, such as a decoy PDF or another LNK file that mimics a Hangul Word Processor (HWP) document. It also deploys an intermediate payload to set persistence and launch a PowerShell script, which uses Dropbox as a C2 channel to retrieve the batch script.
The batch file then downloads two separate ZIP file fragments from the remote server (“quickcon[.]store”) and combine them to create a single archive from which we extract the XML task scheduler and Python backdoor. The task scheduler is used to launch the implant.
The Python-based malware supports the ability to download additional payloads and execute commands issued from the C2 server. This step allows you to run shell scripts, list directories, upload/download/delete files, and run BAT, VBScript, and EXE files.
This finding is also consistent with ScarCruft moving away from traditional LNK-based attack chains to HWP OLE-based droppers to deliver RokRAT, a remote access Trojan used exclusively by North Korean hacker groups, according to S2W. Specifically, the malware is embedded as an OLE object within an HWP document and executed via DLL sideloading.
“Unlike previous attack chains that progressed from BAT scripts dropped by LNK to shellcode, in this case we observed that newly developed dropper and downloader malware was used to deliver shellcode and ROKRAT payloads,” the South Korean security firm said.
Source link
