Threat actors likely associated with the Democratic People's Republic of Korea (DPRK) have been observed using GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea.
The attack chain, per Fortinet FortiGuard Labs, involves obfuscated Windows shortcut (LNK) files acting as the starting point to drop a decoy PDF document and a PowerShell script that sets the stage for the next phase of the attack. It's assessed that these LNK files are distributed via phishing emails.
As soon as the payloads are downloaded, the victim is displayed the PDF document, while the malicious PowerShell script runs silently in the background. The PowerShell script performs checks to resist analysis by scanning for running processes related to virtual machines, debuggers, and forensic tools. If any of those processes are detected, the script immediately terminates.
Otherwise, it extracts a Visual Basic Script (VBScript) and sets up persistence using a scheduled task that launches the PowerShell payload every 30 minutes in a hidden window to sidestep detection. This ensures that the PowerShell script is executed automatically after every system reboot.
The PowerShell script then profiles the compromised host, saves the result to a log file, and exfiltrates it to a GitHub repository created under the account "motoralis" using a hard-coded access token. Some of the GitHub accounts created as part of the campaign include "God0808RAMA," "Pigresy80," "entire73," "pandora0009," and "brandonleeodd93-blip."
The script then parses a specific file in the same GitHub repository to fetch additional modules or instructions, thus allowing the operator to weaponize the trust associated with a platform like GitHub to blend in and maintain persistent control over the infected host.
Fortinet said that earlier iterations of the campaign relied on LNK files to spread malware families like Xeno RAT. It's worth noting that the use of GitHub C2 to distribute Xeno RAT and its variant MoonPeak was documented by ENKI and Trellix last year. These attacks were attributed to a North Korean state-sponsored group known as Kimsuky.
"Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence," security researcher Cara Lin said. "By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate."
The disclosure comes as AhnLab detailed a similar LNK-based infection chain from Kimsuky that ultimately results in the deployment of a Python-based backdoor.
The LNK files, as before, execute a PowerShell script and create a hidden folder in the "C:\windirr" path to stage the payloads, including a decoy PDF and another LNK file that mimics a Hangul Word Processor (HWP) document. Also deployed are intermediate payloads to set up persistence and launch a PowerShell script, which then uses Dropbox as a C2 channel to fetch a batch script.
The batch file then downloads two separate ZIP file fragments from a remote server ("quickcon[.]store") and combines them together to create a single archive and extracts from it an XML task scheduler and a Python backdoor. The task scheduler is used to launch the implant.
The Python-based malware supports the ability to download additional payloads and execute commands issued from the C2 server. The instructions allow it to run shell scripts, list directories, upload/download/delete files, and run BAT, VBScript, and EXE files.
The findings also coincide with ScarCruft's shift from traditional LNK-based attack chains to an HWP OLE-based dropper to deliver RokRAT, a remote access trojan exclusively used by the North Korean hacking group, per S2W. Specifically, the malware is embedded as an OLE object within an HWP document and executed via DLL side-loading.
"Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload," the South Korean security company said.
