Alert: Kimsuky Hacking Group Targets Human Rights Activists
As per recent reports a new social engineering attack attributed to the North Korea-linked Kimsuky hacking group is targeting human rights activists using fake Facebook accounts. This tactic, involving fictitious identities, marks a significant shift from their typical email-based spear-phishing strategies. According to a report by South Korean cybersecurity firm Genians, the attackers pose as public officials in the North Korean human rights sector to deceive their targets via Facebook Messenger.
A Sophisticated Multi-Stage Attack
The Kimsuky Hacking Group aims specifically at North Korean human rights activism and anti-North Korea activities. Unlike conventional methods, this approach leverages social media to build trust and deliver Kimsuky malware. The attackers create fake Facebook profiles, pretending to be legitimate individuals, to initiate contact and lure the targets into opening malicious documents.
Leveraging Social Media for Deception
The attack’s novelty lies in its use of Facebook Messenger rather than email to deliver the payload. The North Korean hackers send messages containing links to seemingly innocuous documents hosted on OneDrive. These documents, named “My_Essay(prof).msc” or “NZZ_Interview_Kohei Yamamoto.msc,” appear to be essays or interview content related to a trilateral summit between Japan, South Korea, and the U.S. One such document was uploaded to the VirusTotal platform on April 5, 2024, from Japan, suggesting a focus on targets in Japan and South Korea.
Uncommon Document Types to Evade Detection
Kimsuky’s use of MSC files, a less common document type, helps the group evade detection. These files are disguised with Word processor icons to trick victims into opening them. When a victim launches the MSC file and agrees to open it with Microsoft Management Console (MMC), they see a console screen displaying a Word document. This document activates a sequence that establishes a connection with an attacker-controlled server, brandwizer.co[.]in.
The Attack Sequence Of Kimsuky Hacking Group
Reports claim that upon opening the document, the victim unknowingly runs a command that connects to the adversary’s server. This server displays another document hosted on Google Drive, titled “Essay on Resolution of Korean Forced Labor Claims.docx.” Meanwhile, in the background, additional commands are executed to ensure persistence and gather information such as battery and process data from the victim’s device.
The collected information is then sent to the command-and-control (C2) server. This server can also collect IP addresses, User-Agent strings, and timestamp information from HTTP requests, delivering further malicious payloads as needed. The tactics, techniques, and procedures (TTPs) observed in this espionage campaign overlap with previous Kimsuky activities, including the distribution of malware like ReconShark, as detailed by SentinelOne in May 2023.
The Increasing Threat of Social Media-Based Targeted Cyber Attacks
Genians highlights that in the first quarter of this year, social engineering (spear phishing) was the most common method of advanced persistent threat (APT) attacks reported in South Korea. However, covert attacks via social media, though less frequently reported, are also on the rise. These personalized attacks are difficult to detect with traditional security monitoring tools and often go unreported, even when victims are aware of them.
Given their personalized nature, these social media-based targeted attacks pose a significant challenge for cybersecurity. Early detection of such threats is crucial to mitigate their impact. As attackers continue to refine their methods, organizations, and individuals must stay vigilant and adopt robust security measures to protect themselves against these evolving threats.
Conclusion
The Kimsuky hacking group’s latest campaign underscores the growing sophistication of cyber attack tactics. By exploiting social media platforms like Facebook, these attackers can reach their targets in more personalized and deceptive ways, causing network security breaches. Awareness and early detection are key to defending against such threats and ensuring the security of individuals and organizations working in sensitive sectors.
The sources for this piece include articles in The Hacker News and Security Affairs.