Warning Issued Over 'Kimsuky'-Style Phishing Attacks Using Personal Data Breach Inquiries

Security firm ESTsecurity has issued a warning to businesses, reporting that attackers are posing as customers inquiring about personal data breaches to target corporate employees.

In particular, this attack utilizes a technique of exchanging emails with corporate staff, which is highly similar to the typical attack patterns of the North Korea-linked hacking group Kimsuky.

On June 15, ESTsecurity announced that its Advanced Persistent Threat (APT) detection system had repeatedly identified targeted malicious email attacks using the subject line "Request to Confirm Suspected Personal Data Breach."

Unlike past methods that involved indiscriminately distributing malware to a large number of people, this attack employs typical social engineering techniques. The attackers build trust by exchanging several legitimate emails with a specific corporate staff member before inducing them to execute a malicious file.

Notably, when the malicious link in the first email was blocked by the company's security software, the attacker attempted to reassure the staff member by claiming, "Our internal security team checked it and found no issues; it appears to be a false positive." They then displayed sophistication by resending the malware as a password-protected compressed file to bypass antivirus monitoring.

If a user extracts the file and executes the malicious Windows shortcut (LNK) file, which is disguised as a regular document, a 32-bit PowerShell is forcibly called in the background to bypass certain security detection features.

While a normal Excel or PDF document appears to the user, the structure is designed to steal system information and perform additional malicious activities in the background.

The attacker used two types of frameworks to evade detection.

The first abused the API of Dropbox, a legitimate cloud service, as a command-and-control server to steal information from the PC and included features to detect virtual environment analysis.

The second involved direct communication with the attacker's own server. It registered a file disguised as an automatic update for well-known domestic security software into the startup programs to ensure persistence and conceal commands.

After conducting a detailed analysis of the three collected malicious samples, the center confirmed that they all share the same internal structure and bait documents (disguised as customer status reports).

The method, in which the same attack group switches tools depending on the situation within a single campaign, shows a very high similarity to the typical attack patterns of the North Korea-linked hacking group Kimsuky.
※ Please note: This article was translated by AI and may contain errors.