Cybersecurity experts have uncovered a sophisticated cyberattack targeting pharmaceutical companies, orchestrated by the North Korean state-sponsored group, Kimsuky. This campaign employs malware hidden in what appears to be a legitimate Excel file, posing a significant threat to the pharmaceutical sector.
Malware Disguised as Business Document
The attackers target employees by sending a Windows shortcut file named ‘White Life Science ERP Specification.lnk,’ cleverly camouflaged to resemble a standard Excel spreadsheet. Upon opening the file, unsuspecting users activate a series of concealed scripts, executing malicious code without any visible indicators of compromise.
This deception strategy highlights the persistent reliance of advanced threat actors on basic yet effective tactics to infiltrate sensitive industries. By impersonating a reputable drug manufacturer, the attackers increase the credibility of their harmful document.
Technical Insight into the Attack
Wezard4u analysts have meticulously dissected the malware, identifying its multi-layered structure. The .lnk file serves as a container for various components, including a decoy Excel file, a PowerShell script, a JavaScript file, and a Windows Task Scheduler XML, all condensed into a 23,079-byte shortcut.
The malware’s execution chain — from LNK to XML to JavaScript to PowerShell — is designed to evade detection. The PowerShell script extracts and runs each component, maintaining a low profile. The attack chain’s complexity makes it challenging to identify at any single stage.
Impact and Protective Measures
The attack poses a substantial risk to the pharmaceutical industry, which safeguards sensitive research, patient data, and proprietary drug formulations. Kimsuky’s history of targeting academia, government, and research institutions now extends into life sciences, threatening to compromise confidential clinical data.
Security teams are advised to enable file extension visibility in Windows to prevent .lnk files from being mistaken for Excel documents. It is crucial to monitor and restrict PowerShell executions through SysWOW64 paths, audit scheduled tasks for unfamiliar entries, and flag unusual Dropbox API connections within corporate networks.
Additionally, incorporating the specific file hashes into endpoint detection systems will aid in swiftly identifying and isolating any compromised systems.
For ongoing updates and insights into cybersecurity threats, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source on Google.
