Friday, May 24, 2024

North Korean Hackers Abusing Facebook & MS Management Console

The North Korean hacking group known as Kimsuky has been reported to employ sophisticated methods involving social media platforms and system management tools to conduct espionage activities.

This revelation highlights the evolving tactics of cyber adversaries and the increasing complexity of protecting digital assets.

Utilizing Facebook for Initial Infiltration

According to a recent report from Genians, Kimsuky, a notorious cyber-espionage group, has recently been observed using Facebook to target individuals involved in North Korean human rights and security affairs.

Facebook to target individuals involved in North Korean human rights and security affairs.
Facebook to target individuals involved in North Korean human rights and security affairs.

The attackers create fake Facebook profiles that mimic honest South Korean public officials, engaging with potential targets through friend requests and personal messages. 

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

This method of social engineering is designed to build trust and lure the targets into a trap.

The deceptive strategy involves using these Facebook accounts to initiate conversations and eventually share malicious links or documents.

malicious links or documents
malicious links or documents

The group’s meticulous approach ensures that the interactions appear legitimate, leveraging the social platform’s widespread use and users’ inherent trust in their connections.

Microsoft Management Console as a Weapon

Further complicating the threat landscape, Kimsuky has adopted Microsoft Management Console (MMC) files, specifically crafted to execute malicious commands on the victim’s system. 

These files, typically with the .msc extension, are disguised as innocuous documents but are designed to trigger unauthorized actions when opened.

Trigger unauthorized actions when opened
Trigger unauthorized actions when opened

The MMC files are configured to appear as regular Word documents, with icons and metadata that mimic legitimate files.

Once the victim interacts with these files, the embedded malicious code executes, potentially allowing the attackers to gain control over the system or exfiltrate sensitive information.

Upon successful deployment of the MMC-based malware, Kimsuky establishes a command and control (C2) channel to manage the compromised systems remotely.

This setup is part of a broader infrastructure that includes multiple stages of malware deployment and data extraction.

The C2 servers are often masked to evade detection and orchestrate data collection from the infected machines.

This data can include keystrokes, system information, and other sensitive details that are valuable for espionage purposes.

Implications and Countermeasures

Social media platforms like Facebook for initial contact and the subsequent deployment of system management tools for executing attacks represent a significant escalation in cyber threat tactics.

These methods indicate a shift towards more stealthy and socially engineered attacks that can bypass conventional security measures.

Cybersecurity experts recommend enhanced vigilance regarding social media interactions to counteract these threats, especially with unknown contacts.

Additionally, organizations should implement advanced threat detection systems that can identify and neutralize sophisticated malware, such as the MMC files used by Kimsuky.

MMC files used by Kimsuky
MMC files used by Kimsuky

The recent activities of the Kimsuky group underscore the continuous evolution of cyber threat actors and the need for robust cybersecurity defenses.

As these threats grow in sophistication, the global community must remain proactive in developing and deploying advanced security technologies and practices to protect sensitive information and critical infrastructure from the clutches of malicious actors.

Indicator of Compromise


● MD5 (Related)

● C2
5.9.123[.]217 [DE][.]in/green_pad/wp-content/plugins/custom-post-type-maker/essay/share[.]in/green_pad/wp-content/plugins/custom-post-type-maker/essay/d.php?na=battmp[.]in/green_pad/wp-content/plugins/custom-post-type-maker/essay/r.php[.]in/green_pad/wp-content/plugins/custom-post-type-maker/kohei/r.php[.]in/green_pad/wp-content/plugins/custom-post-type-maker/essay/ttt.hta[.]in/green_pad/wp-content/plugins/custom-post-type-marker/ayaka/ttt.hta[.]in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx

● C2 (Related)
52.177.14[.]24 [US]
69.163.180[.]70 [US]
162.0.209[.]27 [US]
162.0.209[.]91 [US]
199.59.243[.]225 [US]
dusieme[.]com/panda/TBS TV_Qs.docx

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles