'North Korea-linked hackers abuse Google, Naver ads to deliver malware'

SEOUL, January 19 (AJP) - Signs have emerged that a hacking group believed to be linked to North Korea is spreading malware by exploiting the advertising systems of Google and South Korea’s Naver, according to a cybersecurity report released on Monday.

The group, known as Kony, is refining its advanced persistent threat tactics by abusing the path users take after clicking portal advertisements, making malicious links harder to detect and block, the report said.

According to the analysis by the Genians Security Center, the campaign — dubbed the “Poseidon Operation” — centers on misusing click-tracking functions embedded in Google and Naver ad systems. Click-tracking refers to the intermediate URLs a user passes through after clicking an advertisement and before reaching the advertiser’s website.

Attackers replicate this URL structure and then redirect users step by step to an external server hosting malicious files, the report said. Because the links appear to originate from legitimate Google or Naver domains, they can evade traditional security filters and artificial intelligence-based detection systems.

The attack chain typically begins with spoofed emails, the report said. Posing as financial institutions or other organizations, the group used work-related subject lines such as “financial transaction confirmation” or “submission of supporting materials” to entice recipients to open the messages.

When users click a link in the email, a compressed file is downloaded, which contains a malicious Windows shortcut file, according to the report. Executing the file appears to open a normal document, but a malicious AutoIt script runs in the background, installing remote-control malware on the user’s computer.

Genians said its analysts identified a development path containing the string “Poseidon-Attack” in the malicious code. Based on that finding, the firm assessed that the group managed the campaign internally under the project name “Poseidon."

* This article, published by Aju Business Daily, was translated by AI and edited by AJP.