The North Korea-linked Kimsuky hacking group has been attributed to a new social engineering attack that employs fictitious Facebook accounts to targets via Messenger and ultimately delivers malware.
“The threat actor created a Facebook account with a fake identity disguised as a public official working in the North Korean human rights field,” South Korean cybersecurity company Genians said in a report published last week.
The multi-stage attack campaign, which impersonates a legitimate individual, is designed to target activists in the North Korean human rights and anti-North Korea sectors, it noted.
This raises the possibility that the campaign may be oriented toward targeting specific people in Japan and South Korea.
The use of MSC files to pull off the attack is a sign that Kimsuky is utilizing uncommon document types to fly under the radar. In a further attempt to increase the likelihood of success of the infection, the document is disguised as an innocuous Word file using the word processor’s icon.
Should a victim launch the MSC file and consent to opening it using Microsoft Management Console (MMC), they are displayed a console screen containing a Word document that, when launched, activates the attack sequence.
The gathered information is then exfiltrated to the command-and-control (C2) server, which is also capable of harvesting IP addresses, User-Agent strings, and timestamp information from the HTTP requests, and delivering relevant payloads as necessary.
Genians said that some of the tactics, techniques, and procedures (TTPs) adopted in the campaign overlap with prior Kimsuky activity disseminating malware such as ReconShark, which was detailed by SentinelOne in May 2023.
“Due to their one-on-one, personalized nature, they are not easily detected by security monitoring and are rarely reported externally, even if the victim is aware of them. Therefore, it is very important to detect these personalized threats at an early stage.”
Source: https://thehackernews.com/
