North Korean Hackers Utilize Facebook Messenger in Focused Malware Offensive

The North Korea-linked Kimsuky hacking group has been assigned to a new social engineering attack that utilizes fictional Facebook accounts to targets through Messenger and eventually offers malware. "The threat actor made a Facebook account with a fake individuality hidden as a public administrator operating in the North Korean human rights domain," South Korean cybersecurity enterprise Genians stated in a statement issued prior week.

The multi-stage attack movement, which mimics an adequate person, is created to target activists in the North Korean human rights and anti-North Korea sectors, it stated. The method is exiting from the regular email-based spear-phishing technique in that it leverages the social media medium to approach targets via Facebook Messenger and fool them into extending individual records written by the persona.

The decoy records, hosted on OneDrive, is a Microsoft Common Console document that masquerades as an article or range connected to a trilateral meeting between Japan, South Korea, and the U.S. -- "My_Essay(prof).msc" or "NZZ_Interview_Kohei Yamamoto.msc" -- with the latter uploaded to the VirusTotal medium on April 5, 2024, from Japan. This increases the probability that the movement may be introduced toward targeting specific individuals in Japan and South Korea.

The use of MSC files to rip off the attack is a warning that Kimsuky is using unique document classes to fly beneath the radar. In a further try to improve the possibility of victory of the disease, the document is hidden as an innocent Word file utilizing the word processor's icon. Should a target take the MSC file and get approval to open it operating Microsoft Management Console (MMC), they are shown a console screen containing a Word document that, when established, triggers the attack series.

This implicates executing an order to show an association with an adversary-controlled server ("[.]in") to show a document hosted on Google Drive ("Essay on Resolution of Korean Forced Labor Claims.docx"), while further instructions are performed in the background to set up perseverance as well as manage battery and process data. The collected data is then exfiltrated to the command-and-control (C2) server, which is also qualified for gathering IP addresses, User-Agent series, and timestamp data from the HTTP demands, and providing appropriate payloads as required.

Genians said that some of the tactics, strategies, and processes (TTPs) assumed in the movement overlap with prior Kimsuky actions spreading malware such as ReconShark, which was described by the SentinelOne in May 2023. "In the foremost quarter of this year, spear phishing attacks were the numerous common technique of APT attacks noted in South Korea," the organization mentioned.

 "Although not generally informed, hidden attacks through social media are also happening." "Due to their one-on-one, personalized character, they are not readily noticed by protection monitoring and are infrequently reported externally, actually if the victim is aware of them. Thus, it is very necessary to catch these personalized hazards at an earlier phase."