The North Korea-backed APT group Kimsuky has escalated its cyber operations by weaponizing GitHub repositories for malware delivery and data exfiltration, marking a sophisticated evolution in their attack methodology.
This latest campaign demonstrates the group’s growing expertise in abusing legitimate cloud infrastructure to evade traditional security measures while maintaining persistent access to compromised systems.
The attack chain begins with a malicious ZIP archive containing an LNK file disguised as an electronic tax invoice (전자세금계산서.pdf.lnk).
When executed, this weaponized shortcut launches a PowerShell command that downloads and executes additional malicious scripts from attacker-controlled GitHub repositories.
The initial payload establishes a foundation for systematic data collection and maintains long-term persistence on infected systems.
S2W researchers identified nine private GitHub repositories associated with this campaign, including group_0717, group_0721, test, hometax, and group_0803.
The threat actors embedded hardcoded GitHub Private Tokens directly within their PowerShell scripts to access these repositories, demonstrating careful operational security planning.
Analysis of commit histories revealed the attacker’s email address (sahiwalsuzuki4[@]gmail.com) used during GitHub account creation.
The malware’s persistence mechanism represents a particularly sophisticated approach to maintaining long-term access.
Upon initial infection, the main.ps1 script creates a file named MicrosoftEdgeUpdate.ps1 under the %AppData% directory and establishes a scheduled task with the name “BitLocker MDM policy Refresh{DBHDFE12-496SDF-Q48D-SDEF-1865BCAD7E00}”.
This task executes every 30 minutes after an initial 5-minute delay, creating an automated system for fetching and executing updated PowerShell scripts from the GitHub repository.
Dynamic Script Management and Information Gathering
The malware employs a dynamic script management system that timestamps infected systems and creates customized folders for data exfiltration.
The PowerShell payload downloads a file named real.txt from the repository, replaces placeholder strings with timestamped values (ntxBill_{MMdd_HHmm}), and re-uploads the modified script using a time-specific filename format.
This mechanism allows attackers to track individual infections and manage multiple compromised systems simultaneously.
The information-stealing component collects comprehensive system metadata including IP addresses, boot times, operating system details, hardware specifications, device types, installation dates, and running processes.
All collected data is compiled into log files and uploaded to the attacker’s repository under timestamped folders, creating an organized intelligence database for the threat actors.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
