An ongoing cyber attack campaign has set its sights on Korean-speaking persons by using U.S. Navy-themed doc lures to trick them into managing malware on compromised systems.
Cybersecurity firm Securonix is tracking the activity below the identify STARK#MULE.
“Primarily based on the supply and very likely targets, these sorts of attacks are on par with earlier attacks stemming from common North Korean teams this kind of as APT37 as South Korea has historically been a major focus on of the team, specially its government officers,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov claimed in a report shared with The Hacker News.
APT37, also regarded by the names Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a North Korean nation-point out actor that is acknowledged to completely target on targets in its southern counterpart, specially those people included in reporting on North Korea and supporting defectors.
Attack chains mounted by the group have traditionally relied on social engineering to phish victims and provide payloads these types of as RokRat on to goal networks. That explained, the adversarial collective has expanded its offensive arsenal with a range of malware households in latest months, like a Go-centered backdoor known as AblyGo.
A noteworthy trait of the new campaign is the use of compromised Korean e-commerce internet websites for staging payloads and command-and-management (C2) in an endeavor to fly beneath the radar of security methods mounted on the techniques.
The phishing emails that act as the progenitor make use of U.S. Army recruitment messages to convince recipients into opening a ZIP archive file, which consists of a shortcut file that appears under the guise of a PDF document.
The shortcut file, when introduced, shows a decoy PDF, but also surreptitiously activates the execution of a rogue “Thumbs.db” file existing in the archive file.
“This file performs several features which contain downloading even further stagers and leveraging schtasks.exe to set up persistence,” the researchers described.
Two of the up coming-stage modules – “lsasetup.tmp” and “winrar.exe” – are retrieved from a compromised e-commerce website named “www.jkmusic.co[.]kr,” the latter of which is employed to extract and run the contents of “lsasetup.tmp,” an obfuscated binary that reached out to a 2nd e-commerce site named “www.notebooksell[.]kr.”
“Once the relationship was set up, the attackers had been ready to purchase technique aspects these as process MAC, Windows edition, [and] IP tackle,” the scientists claimed. “Both equally sites are registered in Korea [and] only make use of the HTTP protocol.”
The disclosure arrives as APT37 has also been noticed earning use of CHM files in phishing e-mails impersonating security email messages from economic institutes and insurance policies providers to deploy data-thieving malware and other binaries, in accordance to the AhnLab Security Crisis Response Centre (ASEC).
“In specific, malware that targets unique people in Korea may perhaps include things like information on topics of interest to the consumer to persuade them to execute the malware, so end users should refrain from opening e-mail from mysterious resources and need to not execute their attachments,” ASEC reported.
Upcoming WEBINARShield From Insider Threats: Learn SaaS Security Posture Management
Anxious about insider threats? We’ve bought you lined! Be part of this webinar to check out functional procedures and the techniques of proactive security with SaaS Security Posture Administration.
APT37 is a single of the several North Korean point out-sponsored groups that have drawn notice for executing attacks that are created to perpetrate economical theft – like the modern attacks on Alphapo and CoinsPaid – and obtain intelligence in pursuit of the regime’s political and national security aims.
This also comprises the infamous Lazarus Group and its sub-clusters Andariel and BlueNoroff, with the actors leveraging a new backdoor dubbed ScoutEngine and a completely rewritten version of a malware framework called MATA (MATAv5) in intrusions aimed at protection contractors in Eastern Europe in September 2022.
“This sophisticated malware, completely rewritten from scratch, reveals an advanced and complicated architecture that will make use of loadable and embedded modules and plugins,” Kaspersky reported in its APT traits report for Q2 2023.
“The malware leverages Inter-System Communication (IPC) channels internally and employs a diverse range of instructions, enabling it to build proxy chains across a variety of protocols, such as inside the victim’s environment.”
Found this short article intriguing? Abide by us on Twitter and LinkedIn to examine additional unique articles we put up.
Some sections of this posting are sourced from: