DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks Targeting South Korea
هنايا الترجمة ديال هاد المقال لـ "الداريجة" المغربية، مع الحفاظ على التنسيق ديال Markdown:
DPRK-Linked Hackers Weaponize GitHub for Command-and-Control in New Attacks
TL;DR
North Korean state-sponsored threat actors are increasingly leveraging legitimate platforms like GitHub and Dropbox for Command-and-Control (C2) infrastructure. By using obfuscated LNK files and native Windows tools (LolBins), these attackers target South Korean organizations with multi-stage payloads designed to evade traditional security detections.
Recent investigations by Fortinet FortiGuard Labs have uncovered a sophisticated multi-stage campaign attributed to threat actors linked to the Democratic People's Republic of Korea (DPRK). The campaign stands out for its transition away from complex custom malware in favor of native Windows tools and the exploitation of trusted cloud platforms—specifically GitHub—to manage infected hosts.
The Infection Chain: From Phishing to Persistence
The attack typically begins with phishing emails containing malicious, obfuscated Windows shortcut (LNK) files. When a user executes the LNK file, a dual-action process occurs:
- Decoy Deployment: A legitimate-looking PDF document is displayed to the victim to lower suspicion.
- Silent Execution: A malicious PowerShell script runs in the background.
Before proceeding, the PowerShell script performs intensive environmental checks. It scans for running processes associated with virtual machines, debuggers, and forensic analysis tools. If the script detects it is being analyzed in a sandbox or by a researcher, it immediately terminates execution.
Leveraging GitHub as a C2 Channel
If the environment is deemed "safe," the script extracts a VBScript and establishes persistence. It creates a scheduled task that executes the PowerShell payload every 30 minutes in a hidden window, ensuring the malware survives system reboots.
The script then profiles the compromised host, logs the data, and exfiltrates it to a GitHub repository. Researchers identified several GitHub accounts used in this campaign, including "motoralis," "God0808RAMA," and "Pigresy80."
By using a hard-coded GitHub access token, the script can:
- Exfiltrate Data: Upload system logs directly to the repository.
- Receive Instructions: Parse specific files within the repository to fetch additional modules or commands.
"Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence," noted security researcher Cara Lin. This "Living off the Land" (LotL) approach allows the attackers to maintain a low detection rate by blending in with legitimate network traffic.
Ties to Kimsuky and Evolving Tactics
The tactics observed align with the North Korean group known as Kimsuky. Historically, this group has used GitHub to distribute malware families like Xeno RAT and its variant, MoonPeak.
Recent reports from AhnLab highlight a parallel infection chain where Kimsuky used Dropbox as a C2 channel. In that variation, the attackers used a batch script to download ZIP fragments, which were then combined to deploy a Python-based backdoor capable of:
- Executing shell scripts and commands.
- Listing, uploading, downloading, and deleting files.
- Running EXE, VBScript, and BAT files.
ScarCruft and the Shift to HWP Droppers
The broader landscape of DPRK-linked activity shows a continuous evolution of delivery methods. While GitHub-based LNK attacks are rising, the threat actor ScarCruft has been observed moving toward HWP (Hangul Word Processor) OLE-based droppers.
According to security firm S2W, ScarCruft is now embedding malware as OLE objects within HWP documents and utilizing DLL side-loading to deliver RokRAT, a remote access trojan used exclusively by North Korean groups. This confirms a trend where attackers are diversifying their entry vectors—moving from LNK-dropped scripts to newly developed dropper and downloader malware.
Conclusion
The shift toward using GitHub, Dropbox, and native Windows utilities represents a strategic move by North Korean actors to weaponize the trust associated with legitimate services. By minimizing the use of suspicious executable files and leveraging platform-as-a-service infrastructure for C2, these groups are becoming increasingly difficult to detect through traditional perimeter defenses.
Organizations, particularly those in South Korea, are advised to monitor for unusual PowerShell activity, unauthorized scheduled tasks, and unexpected connections to GitHub API endpoints.
Source: The Hacker News - DPRK-Linked Hackers Use GitHub as C2 in Multi-Stage Attacks
