North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks
Summary:
Securonix has been tracking a cyberattack campaign being conducted by a North Korea-sponsored threat actor known as Kimsuky (APT43, Emerald Sleet). This ongoing campaign, dubbed DEEP#DRIVE has been targeting South Korean business, government, and cryptocurrency sectors. This campaign is a sophisticated and multi-stage operation that leverages phishing lures written in Korean and disguised within emails. The lure documents are tailored to their intended victims to increase the likelihood of successful exploitation. This campaign relies on PowerShell scripts for every stage of the attack. In the attack, DropBox is abused to host and deliver payloads as well as exfiltrate data. The adversary uses scheduled tasks to establish persistence and code obfuscation to help remain undetected. Despite the attacker’s infrastructure being taken down, Securonix was able to attribute this activity to Kimsuky based on the TTPs evident in the campaign and the attacker’s focus on targeting South Korea with Dropbox-based methods observed in their past campaigns.
The attack chain begins with an LNK file disguised as legitimate documents or PDFs. Securonix researchers were unable to obtain and analyze the original phishing email. The LNK file calls the PowerShell process and executes the code silently. This embedded script deletes the temporary file containing the decoded content to ensure stealthy operations. This decoded PowerShell script reveals a multi-stage attack strategy involving file downloads, execution, and persistence mechanisms. The victim system information gathered by the attackers is quite comprehensive. This information includes host IP address, system uptime and OS type and version details, installed antivirus software, running processes, and system type (desktop or laptop). A file with this information is uploaded back to Dropbox.
Security Officer Comments:
While the takedown of their infrastructure is positive news, North Korean-sponsored APTs’ ability to adapt and re-establish operations underscores the need to remain vigilant of Kimsuky activity. DPRK state-sponsored threat actors are well-resourced and willing to adopt any new tactic that might assist in the successful targeting of critical sectors to accomplish their objectives. The campaign's reliance on Korean-language phishing lures tailored to specific victims underscores the importance of user education and awareness training. Although the original phishing emails weren’t obtained, the recovered lure wording and filenames provide valuable information for crafting detection rules. The immediate deletion of the decoded content demonstrates an attempt to hinder post-exploitation analysis. The multi-stage PowerShell script allows for flexible malware delivery and the comprehensive system information gathering likely indicates a targeted approach. The abuse of the legitimate service, Dropbox, is not a novel tactic for North Korean-sponsored threat actors as evidenced by the Operation Dream Job campaign conducted by Lazarus Group. However, the exfiltration of system data to Dropbox further emphasizes the North Korean-sponsored threat actors’ preference for this platform and highlights the need for organizations to monitor and manage cloud service access and usage for suspicious activity.
Suggested Corrections:
IOCs and TTPs
Recommendations from Securonix:
https://thehackernews.com/2025/02/north-korean-apt43-uses-powershell-and.html
https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/
Securonix has been tracking a cyberattack campaign being conducted by a North Korea-sponsored threat actor known as Kimsuky (APT43, Emerald Sleet). This ongoing campaign, dubbed DEEP#DRIVE has been targeting South Korean business, government, and cryptocurrency sectors. This campaign is a sophisticated and multi-stage operation that leverages phishing lures written in Korean and disguised within emails. The lure documents are tailored to their intended victims to increase the likelihood of successful exploitation. This campaign relies on PowerShell scripts for every stage of the attack. In the attack, DropBox is abused to host and deliver payloads as well as exfiltrate data. The adversary uses scheduled tasks to establish persistence and code obfuscation to help remain undetected. Despite the attacker’s infrastructure being taken down, Securonix was able to attribute this activity to Kimsuky based on the TTPs evident in the campaign and the attacker’s focus on targeting South Korea with Dropbox-based methods observed in their past campaigns.
The attack chain begins with an LNK file disguised as legitimate documents or PDFs. Securonix researchers were unable to obtain and analyze the original phishing email. The LNK file calls the PowerShell process and executes the code silently. This embedded script deletes the temporary file containing the decoded content to ensure stealthy operations. This decoded PowerShell script reveals a multi-stage attack strategy involving file downloads, execution, and persistence mechanisms. The victim system information gathered by the attackers is quite comprehensive. This information includes host IP address, system uptime and OS type and version details, installed antivirus software, running processes, and system type (desktop or laptop). A file with this information is uploaded back to Dropbox.
Security Officer Comments:
While the takedown of their infrastructure is positive news, North Korean-sponsored APTs’ ability to adapt and re-establish operations underscores the need to remain vigilant of Kimsuky activity. DPRK state-sponsored threat actors are well-resourced and willing to adopt any new tactic that might assist in the successful targeting of critical sectors to accomplish their objectives. The campaign's reliance on Korean-language phishing lures tailored to specific victims underscores the importance of user education and awareness training. Although the original phishing emails weren’t obtained, the recovered lure wording and filenames provide valuable information for crafting detection rules. The immediate deletion of the decoded content demonstrates an attempt to hinder post-exploitation analysis. The multi-stage PowerShell script allows for flexible malware delivery and the comprehensive system information gathering likely indicates a targeted approach. The abuse of the legitimate service, Dropbox, is not a novel tactic for North Korean-sponsored threat actors as evidenced by the Operation Dream Job campaign conducted by Lazarus Group. However, the exfiltration of system data to Dropbox further emphasizes the North Korean-sponsored threat actors’ preference for this platform and highlights the need for organizations to monitor and manage cloud service access and usage for suspicious activity.
Suggested Corrections:
IOCs and TTPs
Recommendations from Securonix:
- As this campaign likely started using phishing emails, avoid downloading files or attachments from external sources, especially if the source was unsolicited where urgency is stressed. Malicious payloads from phishing emails can be delivered as direct attachments or links to external documents to download. Common file types include office docs (.pptx, .docx, .xlsx), zip, rar, iso, and pdf.
- Maintain vigilance around the use of shortcut files (.lnk). This is a very common code execution tactic with threat actors who rely on phishing emails to execute code.
- Monitor common malware staging directories, especially script-related activity in world-writable directories. In the case of this campaign the threat actors staged their operations out of the: C:\Users\<username>\appdata\Roaming directory.
- Deploy robust endpoint logging capabilities to aid in PowerShell detections
https://thehackernews.com/2025/02/north-korean-apt43-uses-powershell-and.html
https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/