"The threat actor used two Facebook accounts with their location set to Pyongyang and Pyongsong, North Korea, to identify and screen targets."
"Central to the attack is the use of what the GSC describes as pretexting, a tactic where the threat actors aim to trick unsuspecting users into installing a dedicated PDF viewer."
"Another significant aspect of the campaign is that it utilizes legitimate but compromised infrastructure for command-and-control (C2), weaponizing the website associated with the Seoul arm of a Japanese real estate information service."
"This is assessed as a highly evasive strategy that combines legitimate software tampering, abuse of a legitimate website, and file extension masquerading."
APT37, a North Korean hacking group, has launched a multi-stage social engineering campaign using Facebook to target individuals. The group created two accounts to build trust with potential victims before moving conversations to Messenger. They employed pretexting to convince users to install a tampered PDF viewer, which executes malicious code. The campaign also leverages compromised infrastructure for command-and-control, using a legitimate website to issue commands. The payload disguises itself as a harmless JPG image, showcasing a sophisticated evasion strategy.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]