New Kimsuky campaign takes aim on social media users

North Korean state-sponsored advanced persistent threat group Kimsuky has leveraged Facebook, Telegram, and email to compromise South Korean users as part of the AppleSeed hacking campaign, GBHackers News reports.

After establishing initial communications with targets using breached or fake Facebook accounts under the guise of North Korean defector volunteer researchers or missionaries, Kimsuky proceeded with the distribution of mostly password-protected compressed malicious files, an analysis from the Genians Security Center showed. Included in such files were a malicious script enabling decoy PDF and nefarious DLL injections that led to eventual remote access trojan compromise. Aside from utilizing XOR decryption, Base64 encoding, and RSA-encrypted RC4 keys, the RAT also allowed the exfiltration of targeted system information as PDF data, said researchers. Such a threat should prompt not only the usage of specific decompression tools but also the adoption of more sophisticated endpoint detection solutions, as well as intensified cybersecurity awareness programs.