DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea

Fortinet FortiGuard Labs started the attack chain with hidden Windows shortcut (LNK) files This article explores korea hacking group. . You can use LNK files to drop a fake PDF file and a PowerShell script.

Some of the GitHub accounts that are part of this campaign are "God0808RAMA," "Pigresy80," "entire73," "pandora0009," and "brandonleeodd93-blip." According to S2W, the results are in line with ScarCruft's switch from traditional LNK-based attack chains to a HWP OLE-based dropper for delivering RokRAT, a remote access trojan that North Korea's hacking group uses only. It's important to remember that ENKI and Trellix wrote about how GitHub C2 was used to spread the Xeno RAT and its variant MoonPeak last year.

This case shows how new dropper and downloader malware can be used to send shellcode and ROKRAT payloads, which is different from previous attack chains that went from LNK-dropped BAT scripts to shellcode. S2W, a South Korean security company, says that a group based in South Korea did the attack. The company says that the group used both LNK and downloaders to send the payload to the victim's computer.

The company says that the attack used a lot of different kinds of malware, such as a new dropper, downloader, and a new version of the RokRAT malware.

The group says that a new type of malware called droppers and downloaders was used to deliver the payload. This type of malware can deliver payloads in a number of ways, including through a command-and-control (C&C) tool.