FlagThis

North Korean state-backed threat group Kimsuky, also known as APT43, is actively targeting South Korean entities through a sophisticated cyber campaign, dubbed DEEP#DRIVE. This ongoing operation, potentially active since September, involves attacks leveraging PowerShell and Dropbox against South Korean government, business, and cryptocurrency firms. The attackers initiate intrusions with phishing emails containing a ZIP archive with an LNK file, disguised as legitimate documents, to trick recipients into triggering the infection process.

The attack chain relies heavily on PowerShell scripts for various stages, including payload delivery, reconnaissance, and execution, as well as using Dropbox for payload distribution and data exfiltration. Upon execution, the LNK file initiates a PowerShell script that retrieves a lure document hosted on Dropbox. It also retrieves another PowerShell script for system data exfiltration and installs a third script to execute an unknown .NET assembly. This cloud-based infrastructure enables stealthy payload hosting and retrieval, complicating detection efforts.

ImgSrc: blogger.googleu

References :

• The Hacker News: North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
• MSSP feed for Latest: Ongoing Kimsuky Attack Campaign Exploits PowerShell, Dropbox
• www.scworld.com: PowerShell exploited in new Kimsuky intrusions

Classification:

• HashTags: #Cybersecurity #APT43 #Ransomware
• Target: South Korean Entities
• Attacker: Kimsuky
• Product: PowerShell
• Feature: Software Vulnerability
• Malware: PowerShell
• Type: Hack
• Severity: Major