The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems.
"The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an analysis posted last week.
The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document.
The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor.
The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server.
It's also capable of running commands, executing additional payloads, and terminating itself, turning it into a backdoor for remote access to the infected host.
Kimsuky, active since at least 2012, started off targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, before expanding its victimology footprint to encompass Europe, Russia, and the U.S.
Earlier this month, the U.S. Treasury Department sanctioned Kimsuky for gathering intelligence to support North Korea's strategic objectives, including geopolitical events, foreign policy, and diplomatic efforts.
"Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions," cybersecurity firm ThreatMon noted in a recent report.
The state-sponsored group has also been observed leveraging booby-trapped URLs that, when clicked, download a bogus ZIP archive masquerading as an update for the Chrome browser to deploy a malicious VBScript from Google Drive that employs the cloud storage as a conduit for data exfiltration and command-and-control (C2).
Lazarus Group Goes Phishing on Telegram
The development comes as blockchain security company SlowMist implicated the notorious North Korea-backed outfit called the Lazarus Group in a widespread phishing campaign on Telegram targeting the cryptocurrency sector.
"More recently, these hackers have escalated their tactics by posing as reputable investment institutions to execute phishing scams against various cryptocurrency project teams," the Singapore-based firm said.
After establishing rapport, the targets are deceived into downloading a malicious script under the guise of sharing an online meeting link that facilitates crypto theft.
It also follows a report from the Seoul Metropolitan Police Agency (SMPA) that accused the Lazarus sub-cluster codenamed Andariel of stealing technical information about anti-aircraft weapon systems from domestic defense companies and laundering ransomware proceeds back to North Korea.
It is estimated that more than 250 files amounting to 1.2 terabytes have been stolen in the attacks. To cover up the tracks, the adversary is said to have used servers from a local company that "rents servers to subscribers with unclear identities" as an entry point.
In addition, the group extorted 470 million won ($356,000) worth of bitcoin from three South Korean firms in ransomware attacks and laundered them through virtual asset exchanges such as Bithumb and Binance. It's worth noting that Andariel has been linked to the deployment of Maui ransomware in the past.