Hacker Group Using Facebook Messenger to Deliver Malware

The North Korea-linked Kimsuky hacking group has recently been linked to a sophisticated social engineering attack that utilizes fictitious Facebook accounts to target individuals via Messenger, ultimately delivering malware. This new method highlights the evolving tactics of cybercriminals and underscores the importance of vigilance in the digital age.

Details of the Attack

Genians, a South Korean cybersecurity company, reported that Kimsuky created fake Facebook accounts posing as public officials in the North Korean human rights field. This multi-stage attack campaign targets activists involved in North Korean human rights and anti-North Korea sectors. Unlike traditional email-based spear-phishing, this approach leverages Facebook Messenger to approach targets and trick them into opening seemingly legitimate documents.

The decoy documents are hosted on OneDrive and are disguised as Microsoft Common Console (MSC) documents. These files appear to be essays or content related to a trilateral summit between Japan, South Korea, and the U.S., with filenames like "My_Essay(prof).msc" or "NZZ_Interview_Kohei Yamamoto.msc." The use of MSC files, which are uncommon, helps the attackers evade detection.

When a victim opens the MSC file and consents to using Microsoft Management Console (MMC), a console screen displays a Word document that initiates the attack sequence. This involves connecting to an adversary-controlled server and executing additional instructions to establish persistence and collect information such as battery status and running processes.

The collected data is then exfiltrated to a command-and-control (C2) server, which can also harvest IP addresses, User-Agent strings, and timestamps from HTTP requests, delivering relevant payloads as necessary.

The Dangers of Social Engineering Hacks Using Facebook and Messenger

Social engineering attacks that utilize platforms like Facebook and Messenger present significant dangers. These platforms are widely used and trusted by billions of people worldwide, making them attractive targets for cybercriminals. The personalized nature of these attacks makes them particularly effective and difficult to detect.

1. Targeting Specific Individuals: Hackers can tailor their approach to exploit the trust and familiarity inherent in social media interactions. By impersonating a legitimate individual or organization, attackers can more easily deceive their targets.

2. Data Theft and Surveillance: Once an attacker gains access, they can steal sensitive information, monitor communications, and gather data that can be used for further exploitation or sold on the dark web.

3. Spreading Malware: By tricking users into downloading malicious documents or software, attackers can infect systems with malware, including ransomware, which can lock out users from their data or systems until a ransom is paid.

4. Evasion of Detection: Personalized, one-on-one attacks via social media are harder for traditional security monitoring systems to detect and are often not reported externally, even if the victim realizes they have been targeted.

Who Is at Risk?

Individuals and organizations involved in sensitive sectors, such as human rights, political activism, journalism, and government, are at high risk. Activists, researchers, and public officials are prime targets for these sophisticated social engineering attacks. However, anyone using social media platforms like Facebook is potentially vulnerable.

How to Protect Yourself

1. Be Skeptical of Unsolicited Messages: Be cautious when receiving unexpected messages, especially those asking to download files or click on links. Verify the sender's identity through other means before engaging.

2. Enable Security Features: Use security settings available on social media platforms, such as two-factor authentication (2FA), to add an extra layer of protection.

3. Keep Software Updated: Ensure that all your devices and applications are up-to-date with the latest security patches to protect against known vulnerabilities.

4. Educate and Train: Regularly educate yourself and your organization about the latest social engineering tactics and how to recognize them. Training can significantly reduce the risk of falling victim to these attacks.

5. Monitor for Unusual Activity: Keep an eye on your accounts for any unusual activity, such as unexpected login attempts or changes to account settings.

6. Use Antivirus and Anti-Malware Tools: Employ reputable security software to detect and prevent malware infections.

Conclusion

The evolving landscape of cyber threats, exemplified by Kimsuky's use of Facebook and Messenger for social engineering attacks, highlights the critical need for increased awareness and proactive measures. By understanding the risks and adopting robust security practices, individuals and organizations can better protect themselves against these sophisticated attacks.