North Korean Hackers Conduct A Specially Designed Malware Campaign on Facebook Messenger.

North Korean Hackers Conduct A Specially Designed Malware

North Korean Hackers Conduct A Specially Designed Malware Campaign on Facebook Messenger.

A new social engineering assault has been ascribed to the Kimsuky hacking group, which is linked to North Korea. The assault utilizes illegitimate Facebook accounts to deceive targets through Messenger and ultimately distributes malicious software.

“The threat actor established a Facebook account using a sham identity of a public official who works in the North Korean human rights field,” according to a report published last week by the South Korean cybersecurity firm Genians.

It was noted that the multi-stage assault campaign, which assumes the identity of a legitimate individual, is aimed at North Korean human rights and anti-North Korea activists.

Diverging from the conventional email-based spear-phishing approach, this method exploits the social media platform Facebook Messenger to entice targets into opening documents purportedly composed by the imposter in a private capacity.

The illegitimate documents, which are stored on OneDrive, are Microsoft Common Console files masquerading as essays or content pertaining to a trilateral summit that involves the United States, Japan, and South Korea. The files “My_Essay(prof).msc” and “NZZ_Interview_KoheiYamamoto.msc” are examples; the latter was uploaded from Japan to the VirusTotal platform on April 5, 2024.

This phenomenon gives rise to the potentiality that the campaign is designed to specifically target individuals in South Korea and Japan.

The execution of the assault using MSC files indicates that Kimsuky is employing uncommon document formats in order to evade detection. To further enhance the probability of infection success, the document is cloaked as a benign Word file by utilizing the icon of the word processor.

Upon initiating the MSC file through Microsoft Management Console (MMC), the victim is presented with a console interface that includes a Word document. Upon launching the document, the attack sequence is initiated.

This entails executing a command to establish a connection with a server under adversary control (“[.]in”) in order to show a file hosted on Google Drive (“Essay on Resolution of Korean Forced Labor Claims.docx”). Concurrently, background instructions collect battery and process information and configure persistence.

Subsequently, the acquired data is exfiltrated to the command-and-control (C2) server, which possesses the capability to extract pertinent payloads, IP addresses, User-Agent strings, and timestamp information from HTTP requests.

Certain tactics, techniques, and procedures (TTPs) utilized in the campaign, according to Genians, are similar to those utilized in previous Kimsuky operations that distributed malware such as ReconShark, which SentinelOne detailed in May 2023.

“In the first quarter of this year, spear-phishing attacks were the most popular form of APT attacks reported in South Korea,” according to the organization. “Although not frequently stated, undercover assaults via social media are also happening.”

“Because of their individualized, customized characteristics, these threats evade detection by security monitoring systems and are seldom reported externally, notwithstanding the victim’s awareness of them.” “Therefore, early detection of these personalized threats is of the utmost importance.”

one year cyber security diploma course

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security.


Latrodectus Malware Loader is Identified as the Successor to IcedID in Email Phishing Campaigns

Phishing Your Multi-Factor Authentication Codes is a Simple Task for Fraudsters. Here is How To Prevent It

The Vizag Cyber Police Captures Illicit Recruiters Providing Cyber Slaves to Cambodia

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?