North Korea’s notorious hacker group Kimsuky recently attempted a cyber attack in South Korea while impersonating a high-ranking U.S. official.
On Tuesday, cybersecurity firm Genians revealed that it had observed evidence of a spear-phishing attack in South Korea that happened this past March in an article titled “Analysis of the Threat Case of Kimsuky Group using ClickFix tactic.”
The ClickFix tactic, first introduced by U.S. security firm Proofpoint in April 2022, is a deceptive method that lures victims into actively participating in the attack chain.
This tactic typically involves displaying fake error messages when users visit specific websites, then tricking them into executing malicious commands under the guise of providing solutions.
Genians described this as a “psychological disruption tactic,” where users unknowingly execute malicious commands step by step after being deceived by false messages.
It is believed that Kimsuky learned and adapted the ClickFix tactic from publicly available case studies.
In this recent cyber attack attempt, Kimsuky operatives posed as an aide to a senior U.S. national security official.
The hackers approached targets by inquiring about their availability for a meeting with the purported U.S. official during an upcoming visit to South Korea. When recipients confirmed their attendance, the attackers sent an attachment claiming to contain a list of discussion topics. This attachment included a malicious file named “Code.txt” alongside seemingly legitimate documents.
Genians noted that while previous ClickFix tactics typically prompted users to click buttons to resolve fake errors, Kimsuky modified the approach. They asked recipients to copy and paste an authentication code to access a document that was supposedly secure.
Unsuspecting recipients who interact with the “Code.txt” file risk falling victim to a cyberattack.
Additional instances of ClickFix tactics have been reported using cleverly disguised fake websites, such as those imitating defense research recruitment portals. These sites display pop-up windows that, if followed, trick users into installing malware that grants hackers remote access to the victim’s computer.
Interestingly, the ClickFix message windows used by Kimsuky contained North Korean IT terminology, such as “directive” and “system information.”
Genians reported that the compromised IP addresses included not only South Korean locations but also numerous foreign IP addresses.
To mitigate similar threats, Genians emphasized the importance of studying real-world attack scenarios and maintaining ongoing cybersecurity training. The firm also emphasized the crucial role of proactive anomaly detection through Endpoint Detection and Response (EDR) solutions in enhancing endpoint security.