Threat Research

Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures

Securonix

A new ongoing attack campaign tracked as STARK#MULE uses US military recruitment-themed documents to lure victims and runs malware staged from legitimate compromised Korean websites. The attack chain starts with a phishing zip/pdf lure, then PowerShell-based stagers are downloaded and persisted via scheduled tasks, with C2 communication over HTTP to two compromised Korean hosts. #STARKMULE #APT37 #NorthKorea #JKMusicKR #NotebookSellKR #LGDACOM #KoreaTelecom

Keypoints

  • The Securonix Threat Research team tracks an ongoing campaign named STARK#MULE targeting Korean-speaking victims, likely linked to North Korea and possibly APT37.
  • The lure uses US Army recruitment-related documents and compromised Korean e-commerce sites to blend in and deliver malware stagers.
  • Initial access is via phishing with a ZIP attachment containing a PDF lure and a shortcut file (.lnk) that triggers PowerShell execution from a Thumbs.db payload.
  • Thumbs.db masquerades as a .ps1 PowerShell file and downloads two payloads from compromised sites, then sets up persistence via schtasks.
  • The final payloads include a heavily obfuscated conshost.exe that exfiltrates system data and communicates with C2 over HTTP to two compromised sites (jkmusic.co.kr and notebooksell.kr).
  • The infrastructure relies on two Korean-hosted compromised websites with IPs 182.162.94.42 and 183.111.169.84, using HTTP rather than HTTPS.
  • Defenses recommended include avoiding unsolicited ZIP attachments, applying application whitelisting, monitoring ProgramData, and enabling Sysmon/PowerShell logging.

MITRE Techniques

  • [T1566] Phishing – The attack likely begins with a phishing email with a zip file attachment. [‘The attack likely begins with a phishing email with a zip file attachment.’]
  • [T1566.001] Phishing: Spearphishing Attachment – The attack likely begins with a phishing email with a zip file attachment. [‘The attack likely begins with a phishing email with a zip file attachment.’]
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is going to execute whatever is contained within Thumbs.db. [‘PowerShell is going to execute whatever is contained within Thumbs.db.’]
  • [T1204.002] User Execution: Malicious File – The lure aims to spark curiosity so recipients open attachments and execute the malware. [‘the recipient’s curiosity enough to have them open the attached documents, and inadvertently execute the contained malware.’]
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Two scheduled tasks are then created using schtasks.exe. [‘Two scheduled tasks are then created using schtasks.exe.’]
  • [T1105] Ingress Tool Transfer – The binary is heavily obfuscated and makes HTTP post requests to a C2 URL. [‘The binary itself is heavily obfuscated, however during dynamic analysis of the file we observed it making HTTP post requests to the following URL.’]
  • [T1571] Non-Standard Port – The infrastructure uses HTTP (not HTTPS) for communications. [‘Both websites are registered in Korea and… Only utilize the HTTP protocol.’]
  • [T1584.004] Compromise Infrastructure: Server – The threat actor’s infrastructure relies on two compromised websites. [‘The threat actor’s infrastructure appears to be solely based on two compromised websites that appear to be legitimate businesses.’]
  • [T1567] Exfiltration Over Web Service – Exfiltration over web service is listed in the matrix as a technique used for data exfiltration. [‘Exfiltration Over Web Service’]

Indicators of Compromise

  • [IP] 182.162.94.42 (LG DACOM Corporation, C2), 183.111.169.84 (Korea Telecom, C2) – two compromised hosting IPs used for C2 communications.
  • [Domain] jkmusic.co.kr, notebooksell.kr – compromised e-commerce sites hosting payloads and C2 traffic.
  • [File Hash] E4A8610461D3B3C534346B9C874EDFF6D37CA085D578365FF75B25F682EC5FD0 – 미군 구인공고 웹사이트 주소 및 사용방법 안내.zip
  • [File Hash] 6149D861F38DB6D6F5110B234EDB1BA31800F7EB621AD27B6CBF99F05DDEAE18 – Multi National Recruitment System Templete.pdf.zip
  • [File Hash] 019E4327B8292DAD32C92209A1E0FA03636381B1163AC57941CD8CC711A40097 – Multi National Recruitment System.pdf
  • [File Hash] 89062A28F33021539AB3D197C124040177E5AE94A05E1AC7A4F1C852D6B498CF – Multi National Recruitment System Templete.pdf.lnk
  • [File Hash] 7893C8B41A2E4281E73A1761061AC9EEE52920B6840E43697AABF606F701D11A – lsasetup.tmp
  • [File Hash] C90EBF988F96C9A51D6AD0B23AD7260C6B7F8D3B7C905ACC20E18A7227E46237 – Thumbs.db
  • [File Hash] 6F11C52F01E5696B1AC0FAF6C19B0B439BA6F48F1F9851E34F0FA582B09DFA48 – conshost.exe

Relevant Securonix detection policies

  • EDR-SYM74-RUN
  • EDR-ALL-82-RU
  • EDR-ALL-782-RU
  • CEDR-ALL-82-RU
  • WEL-ALL-1084-RU
  • EDR-ALL-979-RU
  • WEL-ALL-1070-RU
  • EDR-ALL-1215-ERR
  • WEL-ALL-1186-ERR
  • WEL-ALL-1205-RU
  • EDR-ALL-1245-RU

Read more

Read more: https://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint