- But otherwise, the group's tactics, techniques, and procedures in the Ukraine attacks align closely with those observed in its more recent campaigns and involve both malware distribution and credential harvesting from target networks.
- targeting political information to gauge Ukraine's resolve in the conflict and
- to help North Korean stakeholders assess whether additional troop support may be requested by Moscow.
North Korea's TA406 Targets Ukraine for Intel
May 13, 2025
Lesnewich adds that Proofpoint is not aware of any other North Korean intrusion clusters currently targeting the same entities or conducting similar operations.
North Korea-backed threat group TA406 is targeting government agencies in Ukraine in an apparent effort to collect intelligence on the country's continued desire and ability to fight back against Russia's invasion.
The campaign appears to be aimed at helping Pyongyang assess the risk to North Korean personnel already deployed in Ukraine alongside Russian forces, and to gauge the likelihood of future requests from Moscow for additional military support, according to a new report from Proofpoint.
> In the attacks that Proofpoint observed in Ukraine, TA406 actors sent phishing emails to targeted individuals from a fictitious senior fellow belonging to a fake think tank called the "Royal Institute of Strategic Studies." The phishing email often contained a link that downloaded a password-protected archive file hosted on the MEGA file hosting service called AnalyticalReport.rar.
- If the target opened the RAR file, it unpacked a Compiled HTML Help (CHM) file with HTML files inside that showed fake content about Ukrainian military leader Valeriy Zaluzhnyi.
- If the intended victim clicked on the page, it ran a PowerShell script that connected to a malicious website to download and run additional malicious code.
- When targets didn't bite right away, TA406 followed up with pushy emails asking if they'd seen the message and urging them to download the file.
Later Stage PowerShell Scripts
The next-stage PowerShell scripts that Proofpoint observed TA406 using in the Ukraine campaign dug up details about the victim's computer by running commands like "ipconfig /all" to grab network info, and "systeminfo" to collect system details. The script also used other commands to find recent files and disk info, and to check for antivirus software using Windows Management Instrumentation (WMI). The malicious code then bundled all the data it harvested from an affected system, encoded them in Base64 and sent the data to an attacker-controlled website. The PowerShell script then created a new file called "state.bat" in the computer's APPDATA folder and rigged it to autorun every time a compromised system started up, thereby ensuring persistence on it.
In some cases, Proofpoint observed TA406 including an HTML file directly in the initial phishing email. The file contained a link that, if clicked, triggered the download of a zip archive from a TA406-controlled site. The archive file contained a benign PDF, and also a malicious shortcut file (LNK) named "Why Zelenskyy fired Zaluzhnyi.lnk." When opened, the LNK file ran a hidden PowerShell script that set up a scheduled task to launch a JavaScript file. The script contacted an attacker-controlled site for more instructions, which it would run using PowerShell. Proofpoint couldn't see what happened next because the final payload was unavailable during their analysis, the security vendor said.
As part of the same campaign, TA406 also set out fake Microsoft security alerts using Proton Mail email accounts to Ukrainian government targets. The emails warned recipients about unusual login attempts to their accounts from different IP addresses and urged them to verify the activity by clicking on a link. Users who followed the instructions ended up landing on a credential-harvesting site.
"North Korea committed troops to assist Russia in the fall of 2024, and TA406 is very likely gathering intelligence to help North Korean leadership determine the current risk to its forces already in the theater," Lesnewich and fellow Proofpoint researchers Saher Naumaan and Mark Kelly wrote in the report.Proofpoint has not observed TA408 or TA427 directly target Ukrainian entities, Lesnewich says. "Proofpoint has observed TA427 take interest in information about Ukraine since before Russia commenced its invasion, but it has always targeted Western entities to gather such information," he adds.
TA406 has been active since at least 2012 and is known for using both malware and credential harvesting tactics to break into target networks and gather information of interest to its North Korean handlers. In addition to using living-off-the-land tactics, TA406 is also associated with several different malware tools, including Konni, Sanny, BabyShark, and Amadey. Most recently, researchers at Securonix spotted members of the umbrella group using fake work logs, crypto-files, and insurance documents to trick users in South Korea to download a malicious shortcut file that harvested system information and executed PowerShell scripts.
No comments:
Post a Comment