North Korean Actors Exploit GitHub in Multi-Stage Malware Campaign Against South Korea

Severity: High (Score: 75.5)

Sources: Scworld, Cybersecuritynews, Infosecurity-Magazine, Gbhackers

Summary

A sophisticated malware campaign targeting users in South Korea has been identified, utilizing malicious LNK files that leverage GitHub as a command and control (C2) infrastructure. The campaign, attributed to North Korean state actors, employs a multi-stage attack chain that includes hidden PowerShell scripts and decoy PDF documents to evade detection. Initial versions of the malware date back to 2024, but recent iterations have removed identifying metadata and introduced advanced obfuscation techniques. The attack begins with LNK files that execute scripts to retrieve commands from GitHub, allowing attackers to maintain persistence and exfiltrate sensitive data. The malware continuously connects to GitHub to download additional payloads and instructions, raising alarms about the use of legitimate platforms for malicious activities. Security experts emphasize the need for heightened vigilance as this method blurs the lines between normal and malicious traffic. Key Points: • North Korean state actors are behind a targeted malware campaign using LNK files. • The malware employs GitHub as a covert command and control infrastructure. • Recent versions of the malware have enhanced obfuscation and removed metadata for stealth.

Key Entities

• Malware (attack_type)
• Phishing (attack_type)
• North Korea (country)
• South Korea (country)
• XenoRAT (malware)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1059.005 - Visual Basic (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1566.001 - Spearphishing Attachment (mitre_attack)
• GitHub (platform)
• Windows (platform)
• PowerShell (tool)
• VBScript (tool)