North Korea-Linked APT35 Launches Sophisticated Cyber Attack Campaign
A sophisticated cyber attack campaign has been uncovered, targeting government and military networks worldwide. The operation, attributed to North Korea-linked APT35, exploits a Microsoft Office and Outlook vulnerability to bypass security measures and steal user credentials.
The campaign, launched recently, employs custom-built malware to infiltrate secure networks. It initiates with spear-phishing emails containing HTML attachments that deploy a multi-stage payload. The infection mechanism involves a two-stage downloader, which assesses the victim's environment and halts execution if a recognised analysis sandbox is detected.
The malware exploits a vulnerability (CVE-2023-23397) in Microsoft Office and Outlook to bypass security measures. It masquerades as legitimate system processes and hooks into the Windows Security Support Provider Interface (SSPI) to capture hashed credentials in memory. Compromised credentials are relayed to the attacker's infrastructure, where hash-cracking and pass-the-hash techniques are used to unlock privileged accounts.
APT35, known for its growing sophistication, establishes a foothold in the target environment by downloading a PowerShell stager and fetching a primary credential-stealer module. This reflects the group's ability to embed within trusted processes and leverage native APIs to capture credentials without leaving overt artifacts. Multiple military communications network accounts have been compromised without triggering conventional intrusion detection systems.
The campaign highlights the evolving threat landscape, with state-sponsored actors like APT35 employing increasingly sophisticated tactics to target high-value networks. Security experts urge enhanced vigilance, regular patching, and robust social security measures to mitigate such threats.
