Kimsuky Hackers Use Fake Facebook Accounts in New Attack

May 20 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s not a fisherman’s friend; it’s a phisherman’s foe 😈

Today’s hottest cybersecurity news stories:

  • ⚠️ Facebookers beware! N. Koreans target Messenger w/ malware 👾

  • 🏛️ CISA: Patch your D-Link router now or forever hold your peace 🩹

  • 💳 Grandoreiro banking trojan keeps reappearing like cyber-herpes 🦠

Don’t get Facehooked! 🎣🎣🎣

🚨 North Korea's Kimsuky Hackers Use Fake Facebook Accounts in New Attack 🕵️‍♂️

The North Korea-linked Kimsuky hacking group has launched a new social engineering attack, using fake Facebook accounts to deliver malware via Messenger.

👤 Fake Identity

The attackers created a Facebook account pretending to be a public official in the North Korean human rights field, targeting activists involved in human rights and anti-North Korea efforts.

📱 Social Media Approach

Unlike typical email-based spear-phishing, this attack uses Facebook Messenger to trick targets into opening seemingly private documents.

📄 Decoy Documents

The documents, hosted on OneDrive, appear as essays or content related to a trilateral summit between Japan, South Korea, and the U.S. Examples include "My_Essay(prof).msc" and "NZZ_Interview_Kohei Yamamoto.msc," the latter being uploaded to VirusTotal from Japan on April 5, 2024.

🌏 Target Regions

The campaign likely targets specific individuals in Japan and South Korea, using MSC files to avoid detection. These files, disguised with Word icons, execute malware when opened.

⚙️ Attack Sequence

When victims open the MSC file using Microsoft Management Console (MMC), a console screen shows a Word document, initiating the attack. The document runs a command to connect to an adversary-controlled server ("[.]in") and display another document from Google Drive, while executing background commands to collect information and establish persistence.

🔍 Data Exfiltration

Collected data, including battery and process information, IP addresses, User-Agent strings, and timestamps, is sent to the command-and-control (C2) server. The server can also deliver additional payloads as needed.

🛠️ Tactics and Techniques

Genians noted that the tactics, techniques, and procedures (TTPs) overlap with prior Kimsuky campaigns distributing malware like ReconShark, as detailed by SentinelOne in May 2023.

📈 Rise in Spear-Phishing

In the first quarter of 2024, spear-phishing was the most common APT attack method reported in South Korea. Covert social media attacks, although less reported, are also increasing.

🔍 Early Detection Crucial

Due to their personalised nature, these social media attacks are hard to detect and often go unreported. Early detection is crucial to mitigate these threats effectively.

Stay vigilant against social engineering attacks on social media. Recognize suspicious requests and document types, and report any unusual activity to security teams to help thwart these sophisticated cyber threats.

Think! Don’t D-link and harddrive 🙃🤔😂

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security vulnerabilities affecting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalogue, following evidence of active exploitation.

🔍 Vulnerabilities Added

  1. CVE-2014-100005:

Type: Cross-Site Request Forgery (CSRF)

Affected Device: D-Link DIR-600 routers

Description: Allows attackers to change router configurations by hijacking an existing administrator session.

  1. CVE-2021-40655:

Type: Information Disclosure

Affected Device: D-Link DIR-605 routers

Description: Allows attackers to obtain a username and password by forging an HTTP POST request to the /getcfg.php page.

🛡️ Mitigation

Federal agencies are advised to apply vendor-provided mitigations by June 6, 2024.

⚠️ Legacy Products

CVE-2014-100005 impacts end-of-life (EoL) D-Link products, urging organisations still using these devices to retire and replace them.

🔍 New Vulnerability

A proof-of-concept (PoC) exploit has been released for a new vulnerability in Ivanti EPMM:

  • CVE: CVE-2024-22026

  • CVSS Score: 6.7

  • Impact: Allows an authenticated local user to bypass shell restrictions and execute arbitrary commands on the appliance.

🛠️ Description

The vulnerability allows a local attacker to gain root access by exploiting the software update process with a malicious RPM package from a remote URL due to inadequate validation in the command-line interface’s installation command.

⚠️ Advisory

Users are advised to update to the latest version to mitigate potential threats, despite no evidence of these flaws being exploited in the wild.

Stay Informed: Keep your systems updated and follow vendor advisories to protect against known and emerging threats.

Welcome back to Grandoreiro de Janeiro 💀💀💀

🚨 Grandoreiro Banking Trojan Returns in Global Phishing Campaign 🌍💻

The Grandoreiro banking trojan, a Windows-based malware, has made a significant return in a global phishing campaign since March 2024. This resurgence follows a law enforcement takedown in January. IBM X-Force reports that the malware is targeting over 1,500 banks across more than 60 countries, including regions in Central and South America, Africa, Europe, and the Indo-Pacific.

Expanded Targeting 🎯🌐

Previously, Grandoreiro mainly focused on Latin America, Spain, and Portugal. However, disruptions by Brazilian authorities have led to a broader targeting strategy. The malware has also seen significant upgrades, including improved string decryption, a new domain generating algorithm (DGA), and the ability to use Microsoft Outlook clients on infected hosts to spread phishing emails.

Attack Chain 🔗✉️

The attack begins with phishing emails urging recipients to click a link to view an invoice or make a payment. This leads to downloading a ZIP archive containing the Grandoreiro loader executable. The loader, inflated to bypass anti-malware software, ensures the host is not in a sandbox environment, gathers basic victim data, and sends it to a command-and-control (C2) server.

Persistence and Execution 🔐⚙️

The trojan establishes persistence via the Windows Registry and uses a reworked DGA to connect to a C2 server for further instructions. Grandoreiro can execute various commands, perform file operations, and now gather Microsoft Outlook data to send spam emails from the victim's account.

Outlook Exploitation 📧🛠️

Using the Outlook Security Manager tool, Grandoreiro avoids triggering security alerts. This allows it to spread spam from infected inboxes, contributing to the high volume of spam observed. By leveraging the victim's email account, Grandoreiro significantly enhances its spread and impact.

Conclusion 🔍🚫

The Grandoreiro banking trojan's return and expansion highlight the evolving threats in the cybersecurity landscape. Organisations must stay vigilant, update security measures, and educate users on recognizing phishing attempts to mitigate such risks.

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵 Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈 Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles