Search This Blog

Powered by Blogger.

Blog Archive

Labels

TARK#MULE Cyber Attack Campaign Tricking Koreans with U.S. Military-Themed Documents

The group used social engineering techniques to initiate phishing attacks, thereby delivering malicious payloads onto targeted networks.
A relentless cyber attack campaign has been launched, specifically targeting Korean-speaking individuals. The attackers are employing deceptive tactics, using U.S. Military-themed document lures to deceive unsuspecting victims into executing malware on their compromised systems. 

Following the incident, Securonix – a cybersecurity firm – dubbed this sophisticated cyber attack campaign as 'STARK#MULE.' The full extent of the attacks remains undisclosed, leaving uncertainty about the number of victims impacted.  As of now, it remains unclear whether any of the attack attempts have resulted in successful compromises. The situation calls for continued monitoring and vigilance to safeguard potential targets from threats posed by the ongoing campaign. 

According to the report, “these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials”.  APT37, also known as Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a nation-state actor affiliated with North Korea. Its primary focus lies exclusively on targeting entities within South Korea, particularly those involved in reporting on North Korea and supporting defectors. 

The group has utilized social engineering techniques to initiate phishing attacks, thereby delivering malicious payloads like RokRat onto targeted networks. However, recent developments indicate that adversaries have broadened their offensive capabilities, incorporating various malware families into their tactics. Among the new additions is a Go-based backdoor named AblyGo. 

The campaign exhibits a distinctive strategy, leveraging compromised Korean e-commerce websites for both staging malicious payloads and establishing command-and-control (C2) operations. This clever maneuver aims to evade detection by security solutions installed on targeted systems. 

By utilizing legitimate platforms, the threat actors attempt to fly under the radar and maintain a cloak of stealth during their activities. This innovative approach poses a new challenge for cybersecurity experts in their efforts to protect against evolving threats and reinforces the need for enhanced security measures across digital landscapes. 

As per the information, APT37 has adopted a new tactic, utilizing CHM files in phishing emails to impersonate security communications from financial institutions and insurance companies. The objective is to deceive victims and prompt them to open these malicious files, thereby deploying information-stealing malware and other harmful binaries onto their systems. This observation was made by the AhnLab Security Emergency Response Center (ASEC), shedding light on the threat actor's evolving techniques. 

Using CHM files in disguise poses a significant concern for security teams as they strive to mitigate the risks of cyber-attacks and safeguard sensitive data from sophisticated threat actors. APT37 stands among several North Korean state-sponsored groups that have garnered attention for executing sophisticated cyber attacks aimed at achieving financial theft, as evident from the recent attacks on Alphapo and CoinsPaid. 

Moreover, the group's activities also revolve around gathering intelligence to further the regime's political and national security objectives. This dual focus on financial gains and intelligence acquisition underscores the significance of countering APT37's actions to protect the interests of targeted organizations and safeguard critical national security information from falling into the wrong hands.
Share it:

APT37

cyber attack

Cyber Attacks

Cyber campaign

Korean hackers

TARK#MULE Cyber Attack Campaign