Malware

The North Korean APT group has leveraged a custom RDP Wrapper and new malware called forceCopy in recent campaigns.

Attacks commenced with the delivery of phishing emails with a Dropbox link that downloads a ZIP archive containing an internet shortcut file with a TryCloudflare URL that fetches an LNK file for further compromise, a report from Forcepoint X-Labs showed.

After luring targets into providing their curriculum vitae or GitHub link for fake cryptocurrency, finance, or travel job offers, attackers proceed to share a malicious repository with the project's "minimum viable product," which executes nefarious code eventually resulting in the deployment of stealer malware that targets Windows, macOS, and Linux systems.

While infostealers are often seen as less dangerous compared with trojans, they can exfiltrate sensitive data, leading to data breaches.

Aside from the Banshee, CloudChat, PyStealer, and Poseidon payloads that focus on cryptocurrency wallet theft, Macs have also been subjected to attacks with the NotLockBit ransomware and the North Korea-linked SpectralBlur implant, according to a report from Apple cybersecurity researcher Patrick Wardle.

This campaign primarily targets finance, accounting, and sales professionals, aiming to steal sensitive data.

Initial network appliance compromise and operation under root privileges will be verified before the deployment of the "libssdh.so" SSH library for data exfiltration and command-and-control communications and the "mainpasteheader" and "selfrecoverheader" binaries for persistence, an investigation from Fortinet FortiGuard Labs revealed.

New malware strain a continuation of the North Korean Contagious Interview job lure campaign first described last December.