According to researchers at Trellix, foreign embassies in South Korea have been the target of a sophisticated, ongoing espionage campaign since March. The attackers have launched at least 19 spear-phishing attacks against high-value targets, including diplomatic missions, using carefully crafted email lures. This campaign, which deploys the powerful XenoRAT malware, is designed to infiltrate and exfiltrate sensitive information from compromised systems. While initial analysis of the tactics and infrastructure points to a North Korean threat group known as Kimsuky (APT43), certain indicators, such as attacker activity times and holiday schedules, suggest potential involvement from China-based operatives. This blurring of lines between known threat actors highlights the increasingly complex nature of state-sponsored cyber operations.
The espionage campaign is a multi-stage operation that has evolved over time, using different thematic lures to entice victims. The attacks unfolded in three distinct phases between March and July. The initial phase began with probing in March, targeting a Central European embassy with a more generalized lure. By May, the threat actor had shifted to more complex diplomatic lures, with one email impersonating a high-ranking EU official to invite a Western European embassy to a “Political Advisory Meeting.” The campaign further adapted in June and July, adopting themes related to the U.S.-Korea military alliance and targeting European embassies in Seoul with fake meeting invites, official letters, and event invitations.
A key element of the campaign’s success is the attackers’ use of highly contextual and personalized social engineering. The email lures were not only timely, often coinciding with real-world events, but also multilingual, written in Korean, English, Persian, Arabic, French, and Russian to appeal to a wide range of targets. To bypass email protection systems, the attackers consistently delivered their malicious payloads via password-protected ZIP archives. These archives were hosted on common cloud storage platforms like Dropbox, Google Drive, or the South Korean service Daum, making them appear less suspicious to security filters and relying on the victim to enter the password provided in the email.
The delivery method is a crucial part of the attack chain. Once a victim opens the password-protected archive, they are presented with a file disguised as a PDF document. However, this is actually a malicious .LNK shortcut file. When launched, the .LNK file executes a series of commands, triggering obfuscated PowerShell code. This script then connects to a GitHub repository or Dropbox account to retrieve the XenoRAT payload. The malware then establishes persistence on the infected system by creating a scheduled task, ensuring it survives system reboots and continues its malicious activities.
The ultimate objective of the campaign is to deploy XenoRAT, a powerful and stealthy remote access trojan (RAT). Once installed, XenoRAT grants the attackers extensive control over the compromised computer. Its capabilities include keystroke logging, capturing screenshots, accessing the webcam and microphone, transferring files, and executing remote shell operations. Trellix researchers noted that XenoRAT is loaded directly into memory via reflection and is heavily obfuscated with Confuser Core 1.6.0. This combination of in-memory execution and code obfuscation makes it difficult for traditional security tools to detect and analyze, allowing the attackers to maintain a covert presence on the breached diplomatic systems for ongoing espionage.
Reference:
