The North Korea -related actor was associated with a permanent campaign aimed at the South Korean business, government and cryptocurrencies.
The Atacine Company is named Deep#drive Securonix was attributed to a hacking group known as Kimaswhich is also tracked under the names of APT43, Black Banshee, cheeky sleet, shiny fish, springtail, ta427 and velvet Chollima.
“Use, taking into account the phishing possessive possessive and disguised legal documents, the attackers successfully penetrated the target environment,” – Safety Researchers Den Iuzvyk and Tim Peck – Note In a report that is shared with Hacker News, describing the activity as a “complex and multi -stage operation.”
The bait documents sent through the phishing emails like .hwp, .xlsx and .PPTX, disguised in the work logs, insurance documents and files related to the crystand to fool the recipients to open them, thus causing the infection process.
The attacked network is characteristic of its great dependence on PowerShell scenarios at different stages, including delivery of useful load, exploration and execution. It is also characterized by Dropbox for distribution of useful load and expressive data.
It all starts with the ZIP archive, which contains one Windows Fast Access File (.lnk), which is masked as a legitimate document that, when extracting and launching, run the PowerShell code for obtaining and displaying the document located on Dropbox. A task called “Chromeupdatetaskmachine”.
One of these bait documents, written in Korean, concerns the security plan for loading operations at the logistics facility, delving into safe processing of heavy cargo and set ways to ensure the implementation of the safety standards.
The PowerShell scenario is also designed to contact the same Dropbox location to get another PowerShell scenario, which is responsible for collecting and extinguishing the system. In addition, it reduces the third PowerShell scenario, which ultimately is responsible for performing an unknown assembly .net.
“The use of Oauth authentication for Dropbox API interaction has allowed unobstructed exploration data, such as system information and active processes in advance,” the researchers said.
“This cloud infrastructure demonstrates an effective but hidden method of hosting and receiving useful loads, bypassing traditional IP or domain blocks. In addition, the infrastructure turned out to be dynamic and short, as evidenced by rapid removal of key links after initial stages in the initial stages, when Stages in the initial stages of the original stages that were an attack, a tactic that not only complicates the analysis, but also suggests that the attackers actively monitor their operational security companies. “
Securonix said he was able to use the Oauth tokens to get additional information about the actor’s threat infrastructure, revealing evidence that the company could take place from September last year.
“Despite the lack of the final stage, the analysis emphasizes complex methods, including clinging, hidden execution and dynamic file processing that demonstrate the attacker’s intention to avoid detecting and complicating the reaction to the incident,” the researchers concluded.
