North Korean hacking group Kimsuky has evolved its espionage tactics by using Facebook for initial infiltration, creating fake profiles to target individuals involved in North Korean human rights and security affairs. The group also uses Microsoft Management Console (MMC) files disguised as ordinary documents to execute malicious commands and establish a C2 channel. #Kimsuky #Facebook #MMC #MicrosoftManagementConsole #Genians
Keypoints
- The attackers create fake Facebook profiles that mimic honest South Korean public officials, engaging with potential targets through friend requests and personal messages.
- The deception aims to build trust and lure victims into a trap by sharing malicious links or documents.
- MMC files (.msc) are crafted to appear as legitimate Word documents and are used to trigger malicious actions on the victimβs system.
- Once executed, the embedded code can allow attackers to gain control or exfiltrate data, with a C2 channel established for remote management.
MITRE Techniques
- [T1566.001] Phishing via Service β The attackers create fake Facebook profiles that mimic honest South Korean public officials, engaging with potential targets through friend requests and personal messages. βThe attackers create fake Facebook profiles that mimic honest South Korean public officials, engaging with potential targets through friend requests and personal messages.β
- [T1566.002] Spearphishing Link β The deceptive strategy involves using these Facebook accounts to initiate conversations and eventually share malicious links or documents. βThe deceptive strategy involves using these Facebook accounts to initiate conversations and eventually share malicious links or documents.β
- [T1036] Masquerading β The MMC files are configured to appear as regular Word documents, with icons and metadata that mimic legitimate files. βThe MMC files are configured to appear as regular Word documents, with icons and metadata that mimic legitimate files.β
- [T1071.001] Web Protocols β The C2 servers are masked to evade detection and orchestrate data collection from the infected machines. βC2 servers are often masked to evade detection and orchestrate data collection from the infected machines.β
Indicators of Compromise
- [MD5] Hashes of suspicious files β 56fa059cf7dc562ce0346b943e8f58bb, 1dd007b44034bb3ce127b553873171e5
- [IP] C2 addresses β 52.177.14[.]24 [US], 69.163.180[.]70 [US]
- [Domain/URL] C2 domains β brandwizer.co[.]in/green_pad/wp-content/plugins/custom-post-type-maker/essay/share, yonsei[.]lol
- [File] Documents named or hosted for C2/delivery β share.docx, VOA_Korea.docx
Read more: https://gbhackers.com/north-korean-hackers-abusing/