Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet using a new tactic
Contents
Microsoft Threat Intelligence has observed North Korean state actor Emerald Sleet (also known as Kimsuky and VELVET CHOLLIMA) using a new tactic: tricking targets into running PowerShell as an administrator and then pasting and running code provided by the threat actor.
Screenshot of registration link with instructions to run PowerShell and copy code provided by the threat actor.
To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an PDF attachment.
To read the PDF file attached to the email, the target is lured to click a URL with instructions to register their device. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet.
If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool, downloads a certificate file …
Screenshot of registration link with instructions to run PowerShell and copy code provided by the threat actor.
To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a spear-phishing email with an PDF attachment.
To read the PDF file attached to the email, the target is lured to click a URL with instructions to register their device. The registration link has instructions to open PowerShell as an administrator and paste code provided by Emerald Sleet.
If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool, downloads a certificate file …