Ongoing STARK#MULE Attack Campaign Discovered

Written by

Security researchers have uncovered an ongoing attack campaign dubbed STARK#MULE, which employs US military-related documents as lures to deliver malware through legitimate compromised websites. 

The campaign appears directed at Korean-speaking victims, possibly indicating an origin in North Korea, though this remains unconfirmed. 

“North Korea is one of several nations that are known to blur the lines between cyber-warfare, cyber-espionage, and cyber-criminal activity,” warned Mike Parkin, senior technical engineer at Vulcan Cyber.

“Given the geopolitical situation, attacks like this are one way they can lash out to further their political agenda without having a serious risk of it escalating into actual warfare.”

The lure documents, purportedly containing information about US Army/military recruitment resources, entice recipients to open the attached files, unknowingly activating the embedded malware.

According to an advisory published last Friday by Securonix, the entire malicious infrastructure of the STARK#MULE campaign is centered around legitimate Korean e-commerce websites that have been compromised. 

By leveraging these sites, the threat actors can blend in with regular traffic, evading detection while delivering malware stagers and maintaining full control over the victim’s system.

Read more on website security: #HowTo: Improve Your Website Security

The attack commences with a phishing email containing a zip file attachment. This file contains several nested zip files, one executing PowerShell code. This launches a series of events, including downloading further malware stagers and creating scheduled tasks for persistence.

The final payload communicates with a command-and-control (C2) server hosted on a compromised website. There, the attackers gather system details from the infected machine, using the MAC address as the set ID for subsequent commands.

“Bypassing system controls, evasion by blending in with legitimate e-commerce traffic, and gaining complete control on an earmarked target, all the while staying undetected, makes this threat noteworthy,” explained Mayuresh Dani, manager of threat research at Qualys.

“STARK#MULE also may have laid their hands on a possible zero-day or at least a variant of a known Microsoft Office vulnerability, which allows the threat actors to gain a foothold on the targeted system just by having the targeted user open the attachment.”

Securonix advised caution and vigilance against unsolicited emails with attachments, especially those conveying a sense of urgency. 

Implementing application whitelisting, monitoring standard malware staging directories and deploying additional process-level logging are among the recommended mitigation strategies to protect against similar threats.

What’s hot on Infosecurity Magazine?