A nation-state risk professional with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency areas.
The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a malware group known as , which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima.
Security experts Den Iuzvyk and Tim Peck reported on the activity in a statement shared with The Hacker News, describing the operation as” sophisticated and multi-stage activity” and claimed that the intruders” successfully infiltrated targeted settings” by using customized hacking bait written in Korean and disguised as legitimate files.
The fake documents, sent via phishing emails as.HWP,.XLSX, and.PPTX files, are disguised as work logs, insurance documents and crypto-related files to trick recipients into opening them, thus triggering the disease process.
The attack chain is notable for its heavy reliance on PowerShell scripts at various stages, including payload delivery, reconnaissance, and execution. Additionally, it’s characterized by the use of Dropbox for data exfiltration and payload distribution.
It all begins with a ZIP archive with a single Windows shortcut ( .LNK) file masquerading as a legitimate document, which when opened and extracted triggers PowerShell code to retrieve and display a lure document hosted on Dropbox, while secretly establishing persistence on the Windows host via a scheduled task called” ChromeUpdateTaskMachine.”
A safety work plan for forklift operations at a logistics facility, which includes a safety work plan for heavy cargo and details ways to ensure compliance with workplace safety standards, is one such lure document written in Korean.
Additionally, the PowerShell script is intended to contact the same Dropbox location to request a different PowerShell script that is responsible for gathering and executing system information. Furthermore, it drops a third PowerShell script that’s ultimately responsible for executing an unknown.NET assembly.
The researchers claimed that the use of OAuth token-based authentication for Dropbox API interactions made it possible for reconnaissance data, such as system information and active processes, to be easily filtered to predetermined folders.
” This cloud-based infrastructure demonstrates a cost-effective yet espionage-free method of hosting payloads and payload retrieval,” according to the report. Additionally, the infrastructure appeared dynamic and short-lived, as demonstrated by the attackers ‘ quick removal of crucial links after the attack’s infancy, a tactic that complicates analysis and suggests that attackers actively monitor their operations for operational security.
Finding proof that the campaign may have been in progress since September of last year, Securonix claimed it could use the OAuth tokens to gain additional information about the threat actor’s infrastructure.
” Despite the missing final stage, the analysis highlights the sophisticated techniques employed, including obfuscation, stealthy execution, and dynamic file processing, which demonstrate the attacker’s intent to evade detection and complicate incident response”, the researchers concluded.