North Korean Kimsuky APT Exploiting Facebook And MS Console For Targeted Attacks

Facebook and MS Console are often targeted by hackers, as they contain a lot of personal and sensitive data that can be used for identity theft, phishing, and other harmful activities.

When these systems are breached, threat actors use them to control user accounts, deliberately spread malware, and use trusted platforms for wider-reaching online strikes that have a magnified impact.


Cybersecurity researchers at Genians recently identified that North Korean Kimsuky APT has been actively exploiting Facebook and MS Console for targeted attacks.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Kimsuky APT Exploiting Facebook

To target North Korean human rights activists, the Kimsuky APT group devised a new social engineering tactic of creating fake Facebook accounts impersonating South Korean officials.

Flowchart of the Kimsuky group’s Facebook-based ReconShark attack (Source – Genians)

Facebook Messenger was used to build up authenticity and distribute malicious OneDrive links that would deliver trojanized .msc files.

Facebook screen disguised as a public official and actual messenger attack screen (Source – Genians)

This campaign took advantage of little-known attack vectors and shared infrastructure with previous Japan-focused attacks delivering Korea-U.S.-Japan trilateral summit decoys.

It shows how Kimsuky is using unconventional means to infiltrate its targets. This information was revealed through joint efforts by Korea’s KISA and the private sector, researchers said.

All of the 60 anti-malware scanners employed at VirusTotal failed to notice the malicious file, making it clear that unknown patterns can still be used to defeat defenses.

The attackers used decoy documents and repackaged parts pretending to be Microsoft Office and security applications. It uses an Indian C2 domain pointing at a Google Drive document as a lure.

Persistence was maintained through previously established Kimsuky campaigns during this 41-minute interval.

The malware utilized environment variables in VBScript to change files and provide remote access for downloading further malicious elements.

This incorporates tricks learned from previous Kimsuky attacks with some new vectors to show the group’s changing capabilities.

A command is executed to get the computer battery and process information through WMI and has “sch_vbs_ok_ENTER” or “sch_vbs_no_ENTER” in its output depending on whether temp.vbs exists.

After that, the collected data gets sent to r.php on the C2 server, substituting spaces for underscores. The VBS file uses Modi(a0) function while connecting to another C2 server.

Also, this aligns with TTPs seen in previous Kimsuky campaigns, such as the macro function in Research Proposal-Haowen Song.doc.

It also means that payloads are delivered by d.php from vbtmp or battmp depending on conditions ultimately resulting in cmd.exe command execution that writes into appdata.

The first quarter of 2024 was marked by spear phishing and LNK malware attacks in Korea, with covert social media vectors utilized for their sneaky, selective character. 

MSC malware constitutes the defender against anti-virus consequently leading to better prevention solutions like behavior-based detection. 

GSC carried out its investigations through public-private collaboration with KISA, where they used indicators, staged a mock attack, and confirmed response capabilities through Genian EDR.

It’s through assistance from U.S. security experts that swift analysis and countermeasures against this campaign using various new tactics could be put in place.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.