North Korea-affiliated cyber threat groups are increasingly adopting living-off-the-land (LotL) strategies and utilizing trusted services to bypass detection. A recent campaign by the Kimsuky group exemplifies this approach by employing PowerShell scripts and storing data in Dropbox folders, all while enhancing their operational security measures.

DEEP#DRIVE Campaign Tactics

The campaign, identified as "DEEP#DRIVE" by cybersecurity firm Securonix, involves the use of deceptive documents such as fake work logs, insurance files, and cryptocurrency-related content. These files are designed to trick users into downloading and executing a zipped shortcut file. This file collects system configuration data and executes PowerShell and .NET scripts. The information is then uploaded to Dropbox folders, and additional commands are downloaded to further compromise the system.

Focus on Espionage and Financial Gain

While the attackers showed some interest in quick financial gains by targeting cryptocurrency users, their primary focus was on stealing sensitive data from South Korean government agencies and businesses. This aligns with Kimsuky's historical targeting patterns, which have consistently included South Korean government entities, enterprises, and strategic industries.

  • Espionage Motivation: The group's activities are primarily driven by the desire to gather intelligence from South Korean targets.
  • Financial Motivation: Secondary focus on cryptocurrency users for potential financial benefits.

Prolific Cyber Threat Group

Kimsuky is not a single entity but comprises five overlapping threat groups, each with distinct targets. For instance, one group focuses on healthcare and hospitality, while another targets cryptocurrency markets. By mid-2023, Kimsuky had become the most active North Korean cyber threat group, responsible for the majority of North Korean-origin attacks between 2021 and 2023.

High-Volume Phishing Campaigns

The Kimsuky groups conduct extensive phishing campaigns, primarily targeting individuals and organizations in South Korea. These campaigns prioritize volume over tailored spear-phishing operations, occasionally extending to targets in other countries.

Thousands of Potential Victims

In the DEEP#DRIVE campaign, after compromising a system, Kimsuky's scripts upload configuration data to Dropbox folders. Although Securonix researchers could not access all suspected Dropbox locations, they identified signs of over 8,000 configuration files, some of which appeared to be duplicates. This suggests the campaign's success in infiltrating multiple systems within the same organizations.

Data Collected

The compromised system data includes host IP addresses, system uptime, OS type and version, installed security software, and a list of running processes.

Enhanced Operational Security

The campaign also highlights improvements in North Korean cyber-operations groups' operational security. Kimsuky used OAuth-based authentication for Dropbox folders, preventing traditional URL-blocking or network-based defenses. The threat actors swiftly dismantled components of their infrastructure once Securonix began investigating.

  • Disable Hidden File Extensions: Prevents attackers from disguising malicious files.
  • Block Shortcut Files: Stops execution in user folders.
  • Allow Only Signed PowerShell Scripts: Ensures only verified scripts run, aiding in detection.
The link has been copied!