A North Korea-related nation-state hacking group known as Kimsuky has been observed to carry out spear phishing attacks to provide information steeler malware named Forcecopy, according to a new finding from the Anlab Security Intelligence Center (ASEC).になったんです。 English: The first thing you can do is to find the best one to do. It’s there.
The attack is launched with a phishing email containing Windows Shortcuts (LNK) files that spoof Microsoft Office or PDF documents.
Opening this attachment triggers the execution of PowerShell or Mshta.exe. This is a legitimate Microsoft binary designed to run HTML Application (HTA) files that are responsible for downloading and running the next stage payload from external sources.
The Korean cybersecurity company said the attacks culminated with the deployment of Pebbell Dash, known as the Trojan horse, and a custom version of an open source remote desktop utility called the RDP Wrapper.
Also provided as part of the attack is proxy malware that allows threat actors to establish persistent communication with external networks via RDP.
Additionally, Kimsuky uses PowerShell-based KeyLogger to record keystrokes and observes using Forcecopy, a new Stealer malware codename used to copy files stored in web browser-related directories. It’s been done.
“All paths where the malware is installed are the installation paths of your web browser,” ASEC said. “It is assumed that threat actors are bypassing restrictions in a particular environment and are trying to steal the configuration file in the web browser where their credentials are stored.”
The use of Tools RDP wrappers and proxying to Commandeer-infected hosts refers to Kimsuky’s tactical changes that have historically exploited the bespoke background for this purpose.
The threat actor, also known as APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427 and Velvet Chollima, is said to be partnering with North Korea’s leading foreign intelligence service, RGB. It’s worth it.
Active since at least 2012, Kimusky has a track record of tailored social engineering attacks that can bypass email security. In December 2024, cybersecurity company Genman revealed that the hacking crew was sending phishing messages derived from Russian services to carry out theft of their qualifications.
Source link
