A Korean threat actor known as Higaisa has been employing malicious LNK files in recent attacks targeting organizations that use the Zeplin collaboration platform.
Active since at least 2016, the hacking group was first detailed last year, when it was associated with the Korean peninsula. The actor, believed to be state-sponsored, was observed using Trojans such as Gh0st and PlugX to target government officials and human rights organizations, among others.
Over the past several weeks, the hackers launched multi-stage attacks that employed malicious shortcut (LNK) files and resulted in the delivery of decoy PDF documents, malicious scripts, and payloads.
The LNK file was included in an archive likely distributed via spear-phishing, with two different versions of the attack observed between May 12 and May 31, featuring the “Project link and New copyright policy.rar” and “CV_Colliers.rar” archive files, respectively.
Only the former targets product teams that are using Zeplin. The archive contains two LNK files and a PDF document, all of them referencing Zeplin.
According to security researchers at Prevailion, the threat actor prepared the first attack at least one week before launch, by creating a decoy PDF file on May 5, followed by the creation of additional files used in the attack.
The malicious LNK file was created on May 11, the same day the intended victims started receiving the trojanized RAR file. The “Project link and New copyright policy.rar” archive was first submitted to VirusTotal the next day, while the domain used in the attack stopped resolving on May 16.
The second attack, which started on May 30, switched to the use of a malicious curriculum vitae (CV) impersonating a college student named “Wang Lei” from Hong Kong, the security researchers say.
Malwarebytes too observed the attacks, explaining that the LNK files in this campaign were designed to execute the same commands that were detailed by Anomali in a report describing COVID-19 attacks in March.
All of the attacks appear associated with Higaisa and show the threat actor’s ability to tailor its attacks based on current events: the hackers started leveraging not only the increased interest in the COVID-19 crisis, but also the increased adoption of collaboration tools to facilitate working from home (WFH) during the pandemic.
“By analyzing individual elements of this campaign, we noted a number of correlations to prior threat actor reporting. […] Based upon the totality of available information, we assess with high confidence that this campaign was performed by the same actors responsible for the Coronavirus, Covid-19, themed campaign in March,” Prevailion’s researchers say.
Based on Google trends, Prevailion discovered that the Zeplin app that was targeted in early May was of interest in the United States, United Kingdom, and India, which could be a possible hint at the targeted entities.