BestHub
Sign in
Information Security 6 min read

North Korean Hackers Weaponize Excel Files to Breach Pharmaceutical Companies

North Korean state‑backed group Kimsuky delivered a multi‑stage malware campaign against prescription‑drug manufacturers by disguising a Windows shortcut as an Excel document, using hidden PowerShell, JavaScript, and Dropbox C2 to stealthily steal sensitive data, and the report outlines detection indicators and mitigation steps.

Black & White Path
Black & White Path
Black & White Path
North Korean Hackers Weaponize Excel Files to Breach Pharmaceutical Companies

Attack Methodology

Kimsuky crafted a malicious file named White Life Science ERP Specification.lnk that appears as an Excel spreadsheet. The shortcut contains multiple payloads—an Excel decoy, PowerShell script, JavaScript file, and a Windows Task Scheduler XML—packed into a 23,079‑byte LNK container.

When the victim opens the file, cmd.exe launches PowerShell via the SysWOW64 path, deliberately executing the 32‑bit PowerShell on a 64‑bit system to evade tools that monitor only 64‑bit processes. The execution chain follows LNK → XML → JavaScript → PowerShell, making detection at any single stage difficult.

Industry Impact Assessment

The campaign targets the pharmaceutical sector, which stores sensitive research data, patient records, and proprietary drug formulas. Kimsuky, traditionally focused on academia, government, and research institutions, appears to be expanding into life‑science enterprises, raising the risk of confidential clinical data theft and long‑term internal communications monitoring.

Infection and Persistence Details

The PowerShell script decrypts an XOR‑encoded payload and writes it to a hidden folder C:\sysconfigs, mimicking a legitimate Windows directory. Two key files are dropped: opakib.ps1 (the main payload) and copa08o.js (a JavaScript launcher). The JavaScript is registered as a scheduled task named "Avast Secure Browser VPS Differential Update Ex," masquerading as a normal browser update.

After activation, opakib.ps1 contacts Dropbox via the official API, uploading collected information—domain, username, OS version, public IP, and running processes—encoded with RC4 and Base64. Attackers can place custom command files in the Dropbox folder, which the malware silently retrieves and executes on the compromised host.

Detection Indicators

File name: White Life Science ERP Specification.lnk

MD5: 5c3bf036ab8aadddb2428d27f3917b86

SHA‑1: e9c16aa2e322a65fc2621679ca8e7414ebcf89c0

SHA‑256: d4c184f4389d710c8aefe296486d4d3e430da609d86fa6289a8cea9fde4a1166

PowerShell code in the malware (source: Wezard4u)
PowerShell code in the malware (source: Wezard4u)
Content of opakib.ps1 (source: Wezard4u)
Content of opakib.ps1 (source: Wezard4u)
Fake Avast browser update scheduled task (source: Wezard4u)
Fake Avast browser update scheduled task (source: Wezard4u)

Mitigation Recommendations

Enable file‑extension visibility in Windows to prevent .lnk files from being mistaken for Excel documents.

Monitor and restrict PowerShell execution via the SysWOW64 path.

Regularly audit Windows scheduled tasks for unfamiliar entries.

Flag anomalous Dropbox API connections within the corporate network.

Add the listed file hashes to endpoint detection platforms for rapid identification and isolation.

Threat analysisPowerShellDropbox C2Excel LNK malwareKimsukyPharmaceutical security
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment