A Korean threat actor known as Higaisa has been employing malicious LNK files in recent attacks targeting organizations that use the Zeplin collaboration platform.
Active since at least 2016, the hacking group was first detailed last year, when it was associated with the Korean peninsula. The actor, believed to be state-sponsored, was observed using Trojans such as Gh0st and PlugX to target government officials and human rights organizations, among others.
Over the past several weeks, the hackers launched multi-stage attacks that employed malicious shortcut (LNK) files and resulted in the delivery of decoy PDF documents, malicious scripts, and payloads.
The LNK file was included in an archive likely distributed via spear-phishing, with two different versions of the attack observed between May 12 and May 31, featuring the “Project link and New copyright policy.rar” and “CV_Colliers.rar” archive files, respectively.
Only the former targets product teams that are using Zeplin. The archive contains two LNK files and a PDF document, all of them referencing Zeplin.
According to security researchers at Prevailion, the threat actor prepared the first attack at least one week before launch, by creating a decoy PDF file on May 5, followed by the creation of additional files used in the attack.
The malicious LNK file was created on May 11, the same day the intended victims started receiving the trojanized RAR file. The “Project link and New copyright policy.rar” archi ..
Support the originator by clicking the read the rest link below.
