North Korean Hackers Target Pharma with Weaponized Excel Malware
Key Takeaways The North Korean Kimsuky hacking group is actively targeting pharmaceutical companies with a sophisticated malware campaign. Attackers are deploying a weaponized Windows shortcut (.lnk)...
Key Takeaways
- The North Korean Kimsuky hacking group is actively targeting pharmaceutical companies with a sophisticated malware campaign.
- Attackers are deploying a weaponized Windows shortcut (.lnk) file disguised as an Excel document to gain initial access.
- The malware establishes persistence through a scheduled task and uses Dropbox for command-and-control, exfiltrating system information.
- The campaign specifically targets the pharmaceutical sector, risking sensitive research data and patient records.
North Korean Kimsuky Group Deploys Weaponized Excel Malware Against Pharma Sector
The Kimsuky hacking collective, known to be state-sponsored by North Korea, has launched a new campaign specifically targeting prescription pharmaceutical companies. This operation utilizes a custom malware file, “White Life Science ERP Specification,” crafted to infiltrate these high-value organizations.
Table Of Content
The attack vector relies on social engineering, leveraging a counterfeit Excel document to trick employees into unknowingly executing malicious code. This tactic grants the attackers covert access to the victim’s system, highlighting the continued efficacy of deceptive methods even against advanced threat actors.
Intricate Deception and Multi-Payload Delivery
The malware initially arrives as a file named White Life Science ERP Specification.lnk. This Windows shortcut file is meticulously disguised to appear identical to a legitimate Excel spreadsheet. When a user opens what they believe is a standard business document, a complex chain of hidden scripts is silently initiated in the background, leaving no immediate visible signs of compromise.
Analysts at Wezard4u meticulously analyzed this malware, uncovering that the .lnk file functions as a multi-payload container. It bundles a decoy Excel file, a PowerShell script, a JavaScript file, and a Windows Task Scheduler XML, all compressed within a single 23,079-byte shortcut. The attackers appear to be impersonating a legitimate prescription drug manufacturer, enhancing the credibility of the bait document for the intended targets.
Upon execution, PowerShell discreetly extracts and runs each component sequentially, effectively concealing the infection from the user. The complete execution flow progresses from the LNK file to an XML definition, then to a JavaScript file, and finally to a PowerShell script, making detection at any individual stage particularly challenging.
Strategic Targeting of Life Sciences
The broader implications of this campaign are significant due to its direct focus on the pharmaceutical sector—an industry rich in sensitive research data, confidential patient records, and proprietary drug formulations. Kimsuky has a documented history of targeting academic, government, and research institutions, and this latest campaign signals a clear expansion of their operational scope into the life sciences.
Should these attackers successfully establish a foothold, they could exfiltrate critical clinical trial data, intellectual property, or maintain long-term surveillance over internal communications. Security teams can use the following file identifiers for immediate detection: White Life Science ERP Specification.lnk with an MD5 hash of 5c3bf036ab8aadddb2428d27f3917b86, SHA-1 of e9c16aa2e322a65fc2621679ca8e7414ebcf89c0, and SHA-256 of d4c184f4389d710c8aefe296486d4d3e430da609d86fa6289a8cea9fde4a1166.
Inside the Infection and Persistence Chain
The technical sophistication of this attack lies in its methods for concealing payloads and maintaining persistent access without triggering common security defenses. When the victim opens the deceptive Excel file, a lengthy command is executed via cmd.exe, invoking PowerShell through the SysWOW64 path. This specifically launches the 32-bit version of PowerShell on a 64-bit Windows system, a known technique to bypass certain security monitoring tools that may only observe 64-bit processes.
The PowerShell script proceeds to decrypt embedded payloads using XOR 0xC7 encoding. These payloads are then dropped into a hidden directory named C:sysconfigs, intentionally chosen to mimic a legitimate Windows system directory. Two primary files are saved: opakib.ps1, serving as the main PowerShell payload, and copa08o.js, a JavaScript launcher.
To ensure persistence, the JavaScript file is registered as a scheduled task, cleverly named “Avast Secure Browser VPS Differential Update Ex.” This naming convention is designed to make the malicious task appear as a benign and trusted browser update process, further aiding its stealth.
Once active, opakib.ps1 establishes a connection to Dropbox utilizing its official API, effectively transforming the cloud storage service into a command-and-control (C2) server. The malware gathers critical victim information, including the domain name, username, operating system version, public IP address, and a list of running processes. This data is then encoded using RC4 and Base64 before being uploaded to Dropbox. Subsequently, the attacker can place custom command files within Dropbox, which the malware downloads and silently executes on the compromised machine.
What You Should Do
- Enable File Extension Visibility: Ensure that Windows settings are configured to always show file extensions, making it harder for .lnk files to be mistaken for legitimate Excel documents.
- Monitor PowerShell Execution: Implement robust monitoring and, where possible, restrictions on PowerShell execution, particularly through SysWOW64 paths, which can indicate attempts to bypass security controls.
- Audit Scheduled Tasks: Regularly review and audit Windows scheduled tasks for any unfamiliar or suspicious entries, especially those impersonating legitimate software updates.
- Flag Unusual Dropbox API Connections: Monitor corporate networks for unusual or unauthorized Dropbox API connections, which could indicate C2 activity.
- Deploy Indicator of Compromise (IoC) Hashes: Add the provided MD5, SHA-1, and SHA-256 file hashes to endpoint detection and response (EDR) platforms and other security tools to identify and quarantine infected systems promptly.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.