Full Report
A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors. The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet
Analysis Summary
# Threat Actor: APT43 (Kimsuky / Black Banshee / Emerald Sleet / Sparkling Pisces / Springtail / TA427 / Velvet Chollima)
## Attribution & Identity
Attributed to a North Korean nation-state threat actor.
Known Aliases: Kimsuky, APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima.
## Activity Summary
The actor is involved in an ongoing campaign dubbed **DEEP#DRIVE**, specifically targeting South Korean entities. The campaign relies on sophisticated, multi-stage operations initiated via tailored phishing lures written in Korean. Activities have potentially been underway since September of the preceding year.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Delivered via ZIP archives containing Windows shortcut (.LNK) files disguised as legitimate documents.
- **Payload Delivery/Execution:** Heavy reliance on PowerShell scripts for payload delivery, reconnaissance, and execution across multiple stages.
- **Persistence:** Establishing persistence on Windows hosts via a scheduled task named "ChromeUpdateTaskMachine."
- **Command and Control/Exfiltration:** Utilizes Dropbox for hosting lures/payloads and for data exfiltration, leveraging OAuth token-based API interactions.
- **Operational Security (OpSec):** Infrastructure (Dropbox links) appeared dynamic and short-lived, with rapid removal of key links complicating analysis.
## Targeting
- Sectors: Business, Government, and Cryptocurrency sectors.
- Geography: South Korea.
- Victims: Not explicitly named, but targets include South Korean businesses and government organizations.
## Tools & Infrastructure
- **Malware families used:** PowerShell scripts (used heavily throughout the attack chain), unknown .NET assembly (final stage payload).
- **Infrastructure (C2, domains, IPs):** Dropbox is used extensively for hosting lures and exfiltrating reconnaissance data via its API. No specific domains or IPs were mentioned, only the reliance on trusted cloud infrastructure.
## Implications
APT43 demonstrates a sophisticated approach by leveraging a trusted cloud service (Dropbox) with OAuth token authentication for C2 and exfiltration. This tactic effectively bypasses traditional IP/domain-based blocking mechanisms. The group's focus on integrating into typical business workflows (lures disguised as work logs, insurance, or crypto documents) and using native OS tools (PowerShell, Scheduled Tasks) suggests a focus on stealth and long-term compromise within South Korean infrastructure.
## Mitigations
- Monitor for scheduled tasks creation, especially those masquerading as legitimate updates (e.g., "ChromeUpdateTaskMachine").
- Implement elevated scrutiny for incoming documents delivered via email, particularly ZIP archives containing LNK files designed to execute PowerShell.
- Monitor network traffic/API calls related to authorized Dropbox integrations for suspicious access patterns or data transfers, especially OAuth token usage in connection with reconnaissance activity.
- Harden systems against PowerShell abuse and script execution from unexpected locations.