Menace actors doubtless related to the Democratic Individuals’s Republic of Korea (DPRK) have been noticed utilizing GitHub as command-and-control (C2) infrastructure in multi-stage assaults focusing on organizations in South Korea.
The assault chain, per Fortinet FortiGuard Labs, includes obfuscated Home windows shortcut (LNK) information appearing as the place to begin to drop a decoy PDF doc and a PowerShell script that units the stage for the following part of the assault. It is assessed that these LNK information are distributed by way of phishing emails.
As quickly because the payloads are downloaded, the sufferer is displayed the PDF doc, whereas the malicious PowerShell script runs silently within the background. The PowerShell script performs checks to withstand evaluation by scanning for operating processes associated to digital machines, debuggers, and forensic instruments. If any of these processes are detected, the script instantly terminates.
In any other case, it extracts a Visible Fundamental Script (VBScript) and units up persistence utilizing a scheduled job that launches the PowerShell payload each half-hour in a hidden window to sidestep detection. This ensures that the PowerShell script is executed mechanically after each system reboot.
The PowerShell script then profiles the compromised host, saves the consequence to a log file, and exfiltrates it to a GitHub repository created below the account “motoralis” utilizing a hard-coded entry token. Some of the GitHub accounts created as a part of the marketing campaign embody “God0808RAMA,” “Pigresy80,” “entire73,” “pandora0009,” and “brandonleeodd93-blip.”
The script then parses a selected file in the identical GitHub repository to fetch extra modules or directions, thus permitting the operator to weaponize the belief related to a platform like GitHub to mix in and keep persistent management over the contaminated host.
Fortinet mentioned that earlier iterations of the marketing campaign relied on LNK information to unfold malware households like Xeno RAT. It is value noting that the usage of GitHub C2 to distribute Xeno RAT and its variant MoonPeak was documented by ENKI and Trellix final yr. These assaults had been attributed to a North Korean state-sponsored group referred to as Kimsuky.
“As an alternative of relying on advanced customized malware, the risk actor makes use of native Home windows instruments for deployment, evasion, and persistence,” safety researcher Cara Lin mentioned. “By minimizing the usage of dropped PE information and leveraging LolBins, the attacker can goal a broad viewers with a low detection price.”
The disclosure comes as AhnLab detailed an identical LNK-based an infection chain from Kimsuky that finally leads to the deployment of a Python-based backdoor.
The LNK information, as earlier than, execute a PowerShell script and create a hidden folder within the “C:windirr” path to stage the payloads, together with a decoy PDF and one other LNK file that mimics a Hangul Phrase Processor (HWP) doc. Additionally deployed are intermediate payloads to arrange persistence and launch a PowerShell script, which then makes use of Dropbox as a C2 channel to fetch a batch script.
The batch file then downloads two separate ZIP file fragments from a distant server (“quickcon[.]retailer”) and combines them collectively to create a single archive and extracts from it an XML job scheduler and a Python backdoor. The job scheduler is used to launch the implant.
The Python-based malware helps the flexibility to obtain extra payloads and execute instructions issued from the C2 server. The directions permit it to run shell scripts, checklist directories, add/obtain/delete information, and run BAT, VBScript, and EXE information.
The findings additionally coincide with ScarCruft’s shift from conventional LNK-based assault chains to an HWP OLE-based dropper to ship RokRAT, a distant entry trojan completely utilized by the North Korean hacking group, per S2W. Particularly, the malware is embedded as an OLE object inside an HWP doc and executed by way of DLL side-loading.
“In contrast to earlier assault chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the usage of newly developed dropper and downloader malware to ship shellcode and the ROKRAT payload,” the South Korean safety firm mentioned.
