Threat actors associated with the Democratic People’s Republic of Korea (DPRK) actively use GitHub as command-and-control (C2) infrastructure in multi-stage attacks targeting organizations in South Korea.
According to Fortinet FortiGuard Labs, the attack chain leverages obfuscated Windows shortcut (LNK) files as the entry point. These files drop a decoy PDF document alongside a PowerShell script, which prepares the next phase of the attack. Notably, attackers distribute these LNK files via phishing emails.
Once the payloads download, the system displays the PDF document to the victim. Meanwhile, the malicious PowerShell script executes silently in the background.
Subsequently, the script performs anti-analysis checks by scanning for processes linked to virtual machines, debuggers, and forensic tools. If it detects any such processes, the script immediately terminates.
Otherwise, the script extracts a Visual Basic Script (VBScript) and establishes persistence through a scheduled task. This task launches the PowerShell payload every 30 minutes in a hidden window, thereby evading detection. As a result, the system automatically executes the script after every reboot.
Data Collection and GitHub Exfiltration
Next, the PowerShell script profiles the compromised host, saves the results to a log file, and exfiltrates the data to a GitHub repository under the account “motoralis”, using a hard-coded access token.
Additionally, the campaign uses several GitHub accounts, including “God0808RAMA,” “Pigresy80,” “entire73,” “pandora0009,” and “brandonleeodd93-blip.”
Following this, the script parses a specific file within the same GitHub repository to retrieve additional modules or instructions. Consequently, the operator weaponizes the trust associated with GitHub to blend in and maintain persistent control over the infected system.
Furthermore, Fortinet noted that earlier versions of this campaign used LNK files to distribute malware such as Xeno RAT. In fact, researchers from ENKI and Trellix documented the use of GitHub C2 to deliver Xeno RAT and its variant MoonPeak last year. Analysts attributed these attacks to the North Korean state-sponsored group Kimsuky.
Importantly, the campaign emphasizes living-off-the-land binaries (LolBins) rather than complex malware.
“Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence,” security researcher Cara Lin said. “By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate.”
Related Kimsuky Campaign Using Dropbox
In parallel, AhnLab identified a similar LNK-based infection chain linked to Kimsuky, which ultimately deploys a Python-based backdoor.
As before, the LNK files execute a PowerShell script and create a hidden folder in the “C:\windirr” path to stage payloads. These include a decoy PDF and another LNK file disguised as a Hangul Word Processor (HWP) document.
Moreover, intermediate payloads establish persistence and execute another PowerShell script, which uses Dropbox as a C2 channel to download a batch script.
Next, the batch file downloads two separate ZIP fragments from a remote server (“quickcon[.]store”). It then combines them into a single archive and extracts an XML task scheduler along with a Python backdoor. The system uses the scheduler to launch the implant.
The Python-based malware enables attackers to download additional payloads and execute commands from the C2 server. Specifically, it can run shell scripts, list directories, manage files (upload/download/delete), and execute BAT, VBScript, and EXE files.
Shift to HWP-Based Delivery and RokRAT
Finally, these findings align with ScarCruft’s shift from traditional LNK-based attacks to an HWP OLE-based dropper used to deliver RokRAT, a remote access trojan linked exclusively to North Korean operations, according to S2W.
In this method, attackers embed malware as an OLE object within an HWP document and execute it via DLL side-loading.
“Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” the South Korean security company said.
Source: TheHackerNews
Read more at Impreza News
