In recent attacks against organizations using the Zeplin collaboration platform, a Korean threat actor known as Higaisa used malicious LNK files to target organisations.
Active since at least 2016, when it was affiliated with the Korean peninsula, the hacking group was first described in last year. The actor, believed to be state-sponsored, was observed using Trojans like Gh0st and PlugX, among others, to target government officials and human rights organisations.
The hackers have launched multi-stage attacks over the past several weeks, using malicious shortcut (LNK) files and delivering decoy PDF documents, malicious scripts, and payloads.
The LNK file was included in an archive likely to be spread through spear-phishing, with two different versions of the attack being detected between May 12 and May 31, containing the archive files “Project connect and New copyright policy.rar” and “CV Colliers.rar.”
Only the former targets teams of products which use Zeplin. The archive contains two LNK files and a PDF document which all refer to Zeplin.
The threat actor prepared the first attack at least one week before launch, by creating a decoy PDF file on May 5, followed by creating additional files used in the attack, according to security researchers at Prevailion.
The malicious LNK file was created on May 11, the same day that the intended victims began to receive the RAR file in trojan. The “Project connect and New copyright policy.rar” archive was first submitted the next day to VirusTotal, while on May 16 the domain used in the attack stopped resolving.
The second attack, which began on May 30, switched to using a malicious curriculum vitae ( CV) that impersonated a Hong Kong-based college student named “Wang Lei,” the security researchers say.
Malwarebytes too observed the attacks, explaining that in this operation, the LNK files were configured to execute the same commands Anomali described in a March report describing COVID-19 attacks.
All the attacks appear to be associated with Higaisa and show the ability of the threat actor to tailor their attacks based on current events: the hackers began to leverage not only the increased interest in the COVID-19 crisis, but also the increased adoption of collaborative tools to facilitate work from home (WFH) during the pandemic.
“By analyzing the individual elements of this campaign, we have noted a number of correlations with the reporting of prior threat actors. […] On the basis of all the information available, we are highly confident that this campaign was carried out by the same actors in charge of the Coronavirus, Covid-19, the thematic campaign in March, “said Prevailion researchers.
Based on Google trends, Prevailion discovered that the Zeplin app targeted at the beginning of May was of interest to the United States , the United Kingdom and India, which could be a possible hint to the targeted entities.