A Korean-language malware campaign called Stark#Mule has been discovered by security firm Securonix. This campaign specifically targets victims using US military recruiting documents as bait and then deploys malware from compromised Korean e-commerce websites. The attackers have developed a complex system that allows them to blend in with legitimate web traffic, making it difficult to detect their malicious activities.
The Stark#Mule campaign primarily focuses on Korean-speaking victims in South Korea, indicating a possible origin from neighboring North Korea. One of the tactics employed by the attackers is sending targeted phishing emails written in Korean. These emails contain zip archives with seemingly legitimate US Army recruitment documents. By tricking recipients into opening these attachments, the malware is unintentionally executed.
According to Zac Warren, Chief Security Advisor, EMEA at Tanium, the specific targeting of a particular group suggests a connection to North Korea and the possibility of state-sponsored cyberattacks or espionage. The attack campaign also suggests that Stark#Mule may have exploited a zero-day or a variant of a known Microsoft Office vulnerability to gain access to targeted systems.
Oleg Kolesnikov, Vice President of Threat Research, Cybersecurity for Securonix, believes that based on prior experience and current indicators, the threat most likely originates from North Korea. However, further investigation is necessary to determine the final attribution. Kolesnikov also notes that the attack methods employed by Stark#Mule align with previous activities of typical North Korean hacker groups, indicating South Korea and its government officials as primary targets.
Stark#Mule’s methodology and sophistication have made it a significant threat. Mayuresh Dani, Manager of Threat Research at Qualys, highlights the campaign’s ability to bypass system controls, blend in with legitimate ecommerce traffic, gain complete control over targeted systems while remaining undetected. Dani emphasizes that social engineering plays a crucial role in the campaign’s success and that political rivalries increase the likelihood of compromise.
Mike Parkin, Senior Technical Engineer at Vulcan Cyber, acknowledges North Korea’s involvement in cyber-warfare, cyber-espionage, and cybercriminal activities. He suggests that attacks like Stark#Mule allow North Korea to further its political agenda without escalating into actual warfare. The cyberwar between North Korea and South Korea is an extension of their long-standing physical conflict, where any information advantage is valuable.
Despite the focus on the attack’s origin, cybersecurity efforts should prioritize overall threat detection, response readiness, and implementing best practices to protect against various potential threats, regardless of their source. Collaboration between the US military, partner states, government agencies, international allies, and private sector organizations is crucial. Sharing threat intelligence related to Stark#Mule and taking remediation actions can strengthen cybersecurity efforts and foster international cooperation in cyber defense.
In addition to Stark#Mule, the Lazarus advanced persistent threat (APT) group, which is believed to be state-sponsored by North Korea, has recently resurfaced with an impersonation scam. This time, the group poses as developers or recruiters with legitimate GitHub or social media accounts.
The ongoing cyberwar between North Korea and South Korea highlights the importance of robust cybersecurity measures and international collaboration. As these attacks continue to evolve, it is essential for organizations and nations to stay vigilant and implement effective security protocols to protect against cyber threats.