BleepingComputer reports that novel download request filtering techniques have been implemented by North Korean threat group Kimsuky since the beginning of the year in an effort to restrict malicious payload downloads to their targets alone.
Kaspersky researchers observed the use of such techniques in phishing attacks against North and South Korean politicians, diplomats, and journalists, which involved emails redirecting to a first-stage command-and-control server verifying certain parameters prior to the deployment of later payloads. Among the payloads is a VBS file that would facilitate payload downloads for valid targets, the report showed.
"Interestingly, this C2 script generates a blog address based on the victims IP address. After calculating the MD5 hash of the victims IP address, it cuts off the last 20 characters and turns it into a blog address. The authors intent here is to operate a dedicated fake blog for each victim, thereby decreasing the exposure of their malware and infrastructure," said Kaspersky.
Without the need for specialized audio equipment to conduct PIXHELL, threat actors could leverage social engineering and software supply chain attacks to distribute covert data exfiltration channel-triggering malware that would create an acoustic channel for the data.
Russian state-sponsored threat group Coldriver has been suspected by the Free Russia Foundation of being behind the intrusion, which involved the targeting of several entities to exfiltrate internal documents, grant reports, and other correspondences in retaliation against pro-democracy Russians
Simultaneous target infiltration and reconnaissance, network compromise, and data exfiltration activities have been performed by Clusters Alpha, Bravo, and Charlie, respectively.