Kimsuky APT Exploiting Facebook And MS Console For Targeted Attacks

Facebook and MS Console are often targeted by hackers, as they contain a lot of personal and sensitive data that can be used for identity theft, phishing, and other harmful activities.

When these systems are breached, threat actors use them to control user accounts, deliberately spread malware, and use trusted platforms for wider-reaching online strikes that have a magnified impact.

Cybersecurity researchers at Genians recently identified that North Korean Kimsuky APT has been actively exploiting Facebook and MS Console for targeted attacks.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Kimsuky APT Exploiting Facebook

To target North Korean human rights activists, the Kimsuky APT group devised a new social engineering tactic of creating fake Facebook accounts impersonating South Korean officials.

Flowchart of the Kimsuky group’s Facebook-based ReconShark attack (Source – Genians)

Facebook Messenger was used to build up authenticity and distribute malicious OneDrive links that would deliver trojanized .msc files.

Facebook screen disguised as a public official and actual messenger attack screen (Source – Genians)

This campaign took advantage of little-known attack vectors and shared infrastructure with previous Japan-focused attacks delivering Korea-U.S.-Japan trilateral summit decoys.

It shows how Kimsuky is using unconventional means to infiltrate its targets. This information was revealed through joint efforts by Korea’s KISA and the private sector, researchers said.

All of the 60 anti-malware scanners employed at VirusTotal failed to notice the malicious file, making it clear that unknown patterns can still be used to defeat defenses.

The attackers used decoy documents and repackaged parts pretending to be Microsoft Office and security applications. It uses an Indian C2 domain pointing at a Google Drive document as a lure.

Persistence was maintained through previously established Kimsuky campaigns during this 41-minute interval.

The malware utilized environment variables in VBScript to change files and provide remote access for downloading further malicious elements.

This incorporates tricks learned from previous…