Friday, May 24, 2024
HomeCyber SecurityNorth Korean Hackers Exploit Fb Messenger in Focused Malware Marketing campaign

North Korean Hackers Exploit Fb Messenger in Focused Malware Marketing campaign

Could 16, 2024NewsroomMalware / Cyber Espionage

Malware Campaign

The North Korea-linked Kimsuky hacking group has been attributed to a brand new social engineering assault that employs fictitious Fb accounts to targets through Messenger and in the end delivers malware.

“The risk actor created a Fb account with a pretend id disguised as a public official working within the North Korean human rights subject,” South Korean cybersecurity firm Genians stated in a report printed final week.

The multi-stage assault marketing campaign, which impersonates a reliable particular person, is designed to focus on activists within the North Korean human rights and anti-North Korea sectors, it famous.

The method is a departure from the standard email-based spear-phishing technique in that it leverages the social media platform to method targets by means of Fb Messenger and trick them into opening seemingly personal paperwork written by the persona.


The decoy paperwork, hosted on OneDrive, is a Microsoft Widespread Console doc that masquerades as an essay or content material associated to a trilateral summit between Japan, South Korea, and the U.S. — “My_Essay(prof).msc” or “NZZ_Interview_Kohei Yamamoto.msc” — with the latter uploaded to the VirusTotal platform on April 5, 2024, from Japan.

This raises the likelihood that the marketing campaign could also be oriented towards concentrating on particular folks in Japan and South Korea.

Using MSC information to tug off the assault is an indication that Kimsuky is using unusual doc sorts to fly underneath the radar. In an extra try to extend the probability of success of the an infection, the file is disguised as an innocuous Phrase file utilizing the phrase processor’s icon.

Ought to a sufferer launch the MSC file and consent to opening it utilizing Microsoft Administration Console (MMC), they’re displayed a console display containing a Phrase doc that, when launched, prompts the assault sequence.

This entails working a command to determine a reference to an adversary-controlled server (“[.]in”) to show a doc hosted on Google Drive (“Essay on Decision of Korean Compelled Labor Claims.docx”), whereas further directions are executed within the background to arrange persistence in addition to acquire battery and course of data.


The gathered data is then exfiltrated to the command-and-control (C2) server, which can also be able to harvesting IP addresses, Consumer-Agent strings, and timestamp data from the HTTP requests, and delivering related payloads as essential.

Genians stated that a number of the techniques, methods, and procedures (TTPs) adopted within the marketing campaign overlap with prior Kimsuky exercise disseminating malware akin to ReconShark, which was detailed by SentinelOne in Could 2023.

“Within the first quarter of this yr, spear phishing assaults have been the most typical technique of APT assaults reported in South Korea,” the corporate famous. “Though not generally reported, covert assaults through social media are additionally occurring.”

“As a consequence of their one-on-one, customized nature, they aren’t simply detected by safety monitoring and are hardly ever reported externally, even when the sufferer is conscious of them. Subsequently, it is vitally vital to detect these customized threats at an early stage.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments