North Korean Actors Exploit GitHub for Phishing Attacks in South Korea

Severity: High (Score: 75.5)

Sources: Cybersecuritynews, Infosecurity-Magazine, Gbhackers

Summary

A new cyber campaign linked to North Korean state-sponsored actors has been identified, targeting organizations in South Korea using malicious LNK files. These files serve as a vector for phishing attacks, leveraging GitHub as a covert command and control infrastructure. The attack employs a multi-stage approach, embedding PowerShell scripts within the LNK files to execute commands silently and maintain persistence. Recent versions of the malware have improved obfuscation techniques, making detection more challenging. The campaign has been active since at least 2024, with evolving tactics that now include the use of decoy PDF documents to distract victims. Security experts emphasize the need for heightened vigilance as the attack demonstrates a shift towards using legitimate platforms for malicious purposes. The advisory from Fortinet highlights the sophisticated nature of the attack, which can blend in with normal network traffic. Key Points: • North Korean state actors are using LNK files for targeted phishing attacks in South Korea. • The campaign utilizes GitHub as a command and control infrastructure, complicating detection. • Recent malware variants have enhanced obfuscation techniques, making attribution difficult.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• North Korea (country)
• South Korea (country)
• XenoRAT (malware)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• GitHub (platform)
• Windows (platform)
• PowerShell (tool)
• VBScript (tool)