At a glance.
- North Korea's Kimsuky group launches new malware campaign.
- IMF email accounts compromised.
- Fujitsu discloses cyberattack.
North Korea's Kimsuky group launches new malware campaign.
Securonix has published a report on a new campaign tracked as DEEP#GOSU that's likely tied to North Korea's Kimsuky group. The researchers note, "While the targeting of South Korean victims by the Kimsuky group happened before, from the tradecraft observed it’s apparent that the group has shifted to using a new script-based attack chain that leverages multiple PowerShell and VBScript stagers to quietly infect systems. The later-stage scripts allow the attackers to monitor clipboard, keystroke, and other session activity."
The attackers use a large shortcut file to hide a PowerShell script and an entire PDF file. Securonix states, "What makes this tactic clever is that there is technically no PDF file contained within the initial zip file sent to the victim. When the user clicks the PDF lure (shortcut file) they’re immediately presented with a PDF file thus removing any concern that anything unexpected happened. The PDF lure document is in Korean and appears to be an announcement regarding the son of Korean Airlines CEO Choi Hyun (the late Choi Yul) and states that the son has passed away due to a car accident. The rest contains details and dates of the funeral hall."