A state-sponsored espionage campaign is targeting foreign embassies in South Korea to deploy XenoRAT malware from malicious GitHub repositories.
According to Trellix researchers, the campaign has been running since March and is ongoing, having launched at least 19 spearphishing attacks against high-value targets.
Although infrastructure and techniques match the pllaybook of North Korean actor Kimsuky (APT43), there are signs that better match China-based operatives, the researchers say.
The source code for version 3 of the ERMAC Android banking trojan has been leaked online, exposing the internals of the malware-as-a-service platform and the operator’s infrastructure.
The code base was discovered in an open directory by Hunt.io researchers while scanning for exposed resources in March 2024.
They located an archive named Ermac 3.0.zip, which contained the malware’s code, including backend, frontend (panel), exfiltration server, deployment configurations, and the trojan’s builder and obfuscator.
The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software.
The DLL side-loading techniques resemble those previously documented as part of attacks orchestrated by a China-linked hacking group called Earth Baxia, which was flagged by the cybersecurity company as targeting government entities in Taiwan and the Asia-Pacific region to deliver a backdoor known as EAGLEDOOR following the exploitation of a now-patched security flaw affecting OSGeo GeoServer GeoTools.
“The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” researchers Jacob Santos, Ted Lee, Ahmed Kamal, and Don Ovid Ladore said.