Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
North Korea has found a method of stealthy theft of intellectual property.
According to the AhnLab Security Emergency Response Center( ASEC), the North Korean hacker group Kimsuky has carried out a series of attacks on research institutes in South Korea. The main purpose of attacks is to spread backdoors in compromised systems to further steal information and execute commands.
The attack chain begins with the distribution of JSE files (JScript Encoded File) disguised as import declarations. The file contains masked (Base64) PowerShell scripts, encrypted data, and a decoy PDF document. This step involves opening the PDF file as a distraction, while a PowerShell script activates the backdoor in the background.
The backdoor, in turn, is configured to collect network information and other relevant data (for example, host name, user name, operating system version) and transmit the encoded data to the remote server. In addition, the backdoor can execute commands, launch additional loads, and self-destruct, providing remote access to the infected host.
In addition, the group used fake URLs to download fake ZIP archives disguised as Chrome browser updates and deploy malicious VBScript from Google Drive, using cloud storage to steal data and as a command and control server (Command and Control, C2).
Kimsuky has been active since 2012 and initially targets South Korean government agencies, think tanks, and experts in various fields. Later, the group expanded its activities to include Europe and the United States. In December, the U.S. Treasury Department imposed sanctions on Kimsuky for collecting intelligence to support North Korea's strategic goals, including geopolitical developments, foreign policy, and diplomatic efforts.
According to the AhnLab Security Emergency Response Center( ASEC), the North Korean hacker group Kimsuky has carried out a series of attacks on research institutes in South Korea. The main purpose of attacks is to spread backdoors in compromised systems to further steal information and execute commands.
The attack chain begins with the distribution of JSE files (JScript Encoded File) disguised as import declarations. The file contains masked (Base64) PowerShell scripts, encrypted data, and a decoy PDF document. This step involves opening the PDF file as a distraction, while a PowerShell script activates the backdoor in the background.
The backdoor, in turn, is configured to collect network information and other relevant data (for example, host name, user name, operating system version) and transmit the encoded data to the remote server. In addition, the backdoor can execute commands, launch additional loads, and self-destruct, providing remote access to the infected host.
In addition, the group used fake URLs to download fake ZIP archives disguised as Chrome browser updates and deploy malicious VBScript from Google Drive, using cloud storage to steal data and as a command and control server (Command and Control, C2).
Kimsuky has been active since 2012 and initially targets South Korean government agencies, think tanks, and experts in various fields. Later, the group expanded its activities to include Europe and the United States. In December, the U.S. Treasury Department imposed sanctions on Kimsuky for collecting intelligence to support North Korea's strategic goals, including geopolitical developments, foreign policy, and diplomatic efforts.
