Recent investigations have revealed that cyber attackers linked to North Korea are leveraging GitHub as a command-and-control (C2) platform in a series of sophisticated cyber attacks targeting South Korean entities. The strategy, uncovered by Fortinet FortiGuard Labs, involves a multi-step assault initiated through obfuscated Windows shortcut (LNK) files, which are thought to be distributed via phishing emails.
Innovative Use of GitHub in Cyber Attacks
The attack begins when victims unknowingly download malicious payloads that include a decoy PDF document and a hidden PowerShell script. As the PDF distracts the user, the script executes silently, scanning for virtual machines or forensic tools. If such tools are detected, the script halts immediately to prevent analysis.
When uninterrupted, the PowerShell script extracts a Visual Basic Script (VBScript) and uses a scheduled task to ensure persistence by launching the malicious PowerShell payload every 30 minutes. This tactic helps maintain a covert presence on the infected system, allowing the script to run automatically after reboots.
Exfiltration and Command Manipulation
The PowerShell script further profiles the compromised system, saving the results to a log file and exfiltrating it to a GitHub repository managed by the account ‘motoralis’. Numerous GitHub accounts, such as ‘God0808RAMA’ and ‘brandonleeodd93-blip’, have been identified as part of this campaign, facilitating the attackers’ ability to fetch additional instructions or modules.
The attackers exploit GitHub’s trusted platform to blend in, making it difficult for security systems to detect malicious activity. This method allows for sustained and undetected control over infected machines.
Shifting Techniques and Broader Implications
Earlier versions of this campaign relied on LNK files to deploy malware such as Xeno RAT, with the use of GitHub C2 for distribution previously documented by ENKI and Trellix. The Kimsuky group, believed to be state-sponsored by North Korea, is linked to these operations.
Security expert Cara Lin notes that the attackers utilize native Windows tools to minimize detection, avoiding complex custom malware. This approach broadens the range of potential targets while maintaining a low profile.
In a related development, AhnLab has documented a similar LNK-based infection chain from Kimsuky, ultimately leading to the deployment of a Python-based backdoor. This method involves a complex chain of payloads, including decoy documents and batch scripts, to establish persistence and communication with a C2 server.
The findings coincide with ScarCruft’s transition from LNK-based attacks to using Hangul Word Processor (HWP) OLE-based droppers for delivering RokRAT, a remote access trojan linked to North Korean cyber operations. This shift highlights the evolving tactics of North Korean hackers as they continue to refine their methods to evade detection and achieve their objectives.
