North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign

A newly discovered social engineering attack employing fictitious Facebook accounts to targets via Messenger has been attributed to the North Korea-linked APT group Kimsuky with the intent to deliver malware to the victim. These fictitious accounts are created with a fake identity disguised as a North Korean human rights public official. The multi-stage attack is designed to target activists in anti-North Korea sectors. Because one of the decoy documents was uploaded to VirusTotal from Japan, we assert this attack may be oriented toward targeting specific individuals in Japan and South Korea. The same C2 server used in this attack was uploaded to VirusTotal for a similar previous attack. The use of MSC files to pull off the attack is a sign that Kimsuky is utilizing uncommon document types to fly under the radar and disguising the icons as word document icons to increase chances of success. What is particularly interesting is that when the malicious decoy file (NZZ_Interview_Kohei Yamamoto) was uploaded to VirusTotal, all 60 multinational anti-malware scanners failed to detect any threats. When the MSC file is launched it begins the attack sequence. The malware establishes a connection to a adversary’s C2 server to establish persistence and exfiltrate information and deliver further payloads as necessary. Genians said that some of the tactics, techniques, and procedures (TTPs) adopted in the campaign overlap with prior Kimsuky activity disseminating malware such as ReconShark, which was detailed by SentinelOne in May 2023.

Security Officer Comments:
Unlike traditional methods of targeted initial access like email spearphishing, this attack leverages Facebook to approach its targets via Messenger and trick them into opening decoy documents that masquerade as an essay or other relevant content and delivers the first stage of malware in the attack chain. One of these decoys was uploaded to VirusTotal on April 5th, 2024 from Japan and this attack is likely a part of BabyShark/ReconShark campaign Kimsuky has been conducting based on artifacts discovered in this attack. Among the APT attacks reported in Korea in the first quarter of this year, the most representative method is spear phishing attack. However, the method of combining shortcut (LNK) type malicious files is also steadily becoming popular. Covert attacks through social media are utilized in attacks despite being reported less frequently and are much more difficult to detect through cybersecurity monitoring which makes it essential to detect customized threats like these at an early stage of the attack chain.

Suggested Corrections:
IOCs for this Kimsuky campaign can be found in Genians’ blog post.

Using MSC malicious files which are not common attack vectors is likely a defense evasion technique to avoid common detection methods. If a signature-based first line of defense is ineffective, companies or organizations must utilize specialized security solutions that detect behavior-based abnormalities. It is very important to detect these customized threats at an early stage.

General APT group mitigations:

  • Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.