A cybersecurity group aligned with North Korea, known as Kimsuky, has been identified in a series of sophisticated phishing attacks designed to steal user credentials. The method involves deploying emails that seemingly originate from Russian senders.

Shift in Tactics

Initially utilizing Japanese and Korean email services, Kimsuky shifted in mid-September to include Russian email addresses, according to South Korean cybersecurity firm Genians.

Exploitation of Russian Email Services: The group has been found exploiting VK's Mail.ru, which provides five domains: mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru, to impersonate financial institutions and popular internet services like Naver.

Phishing Themes: The attackers are using themes around Naver's MYBOX cloud storage, misleading recipients into believing there are security threats in their accounts that require immediate action. This campaign began in late April 2024, initially utilizing domains from Japan, South Korea, and the U.S.

Methodology: Analysis revealed that Kimsuky is using a compromised email server from Evangelia University (evangelia.edu) to distribute these phishing emails, leveraging tools like Star, a PHP-based mailer service.

Historical Context: Kimsuky's misuse of legitimate email services such as PHPMailer and Star has been noted before by the cybersecurity firm Proofpoint in November 2021.

Objective and Impact

Genians highlights that the primary aim of these phishing schemes is credential theft, allowing attackers to hijack accounts and potentially initiate further attacks on additional targets. Kimsuky's ongoing success underscores their skill in creating deceptive emails that appear to come from credible sources, thereby bypassing security checks. Earlier this year, the U.S. government spotlighted Kimsuky for manipulating DNS and DMARC configurations to enhance their social engineering tactics. These details emphasize the importance of vigilance against such evolving phishing tactics. Businesses and individuals alike should stay informed and adopt robust email security measures.

The link has been copied!