Researchers from South Korea have discovered that the notorious North Korean hacking group, known as Kimsuky, has adapted its phishing tactics to use malwareless phishing attack tactics, which evade major EDR detection.
The group, which has been active for several years, is now employing new strategies to evade detection and compromise accounts of researchers and organizations focused on North Korea.
One of the most significant shifts in Kimsuky’s approach is the change in their email attack base. Previously, the group primarily used Japanese email services for their phishing campaigns.
However, the report indicates that they have now moved to utilizing Russian email services, making it more challenging for targets to identify suspicious communications.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Malwareless Attacks on the Rise
The group has also been increasingly relying on malwareless attack strategies. These URL phishing attacks, which do not contain malware in the emails, are proving difficult to detect as threats.
The attackers are crafting convincing phishing emails that impersonate various entities, including:
-
Electronic document civil service ‘National Secretary’
-
Portal company email security managers
-
Public institutions
-
Financial institutions
Kimsuky’s phishing emails have become more sophisticated, often incorporating themes related to familiar financial matters to increase the likelihood of user interaction.
The group has been observed using domains from ‘MyDomain[.]Korea’, a free Korean domain registration service, to create convincing phishing sites.
The Genians report outlines a timeline of the group’s activities, noting that from April 2024, they used Japanese and US domains. They switched to Korean services by May, and by September, they were using Russian domains.
MYBOX theme phishing attack flow chart
However, these Russian domains were found to be fabricated and registered through a phishing email sender known as ‘star 3.0’.
“On the VirusTotal screen, the file name is ‘1.doc’, and the detection name of some Anti-Malware services includes the keyword ‘Kimsuky’. And there are also many variants.”
Interestingly, the report draws connections between current activities and past campaigns.
A mailer titled ‘star 3.0’ was discovered on the website of Evangelia University, a US-based institution. Proofpoint previously identified this same mailer in a 2021 report, linking it to North Korean threat actors.
Implications and Recommendations
The evolving tactics of the Kimsuky group highlight the need for increased vigilance among potential targets. Cybersecurity experts recommend:
-
Careful scrutiny of sender email addresses, especially those with Russian domains
-
Verification of official communications, particularly those related to financial matters
-
Implementation of robust endpoint detection and response(EDR) systems
-
Regular updates to security policies based on the latest threat intelligence
As Kimsuky continues to refine its approach, organizations and individuals alike must remain alert to these sophisticated phishing attempts to protect sensitive information and maintain cybersecurity integrity.
Indicator of Compromise for SOC/DFIR Teams
MD5
adb30d4dd9e1bbe82392b4c01f561e46b591cbd3f585dbb1b55f243d5a5982bcd8249f33e07479ce9c0e44be73d3deac0def51118a28987a929ba26c7413da292ff911b042e5d94dd78f7441098513263cd67d99bcc8f3b959c255c9e8702e9f6ead104743be6575e767986a71cf4bd97ca1a603a7440f1031c666afbe44afc8658a8856d48aabc0ecfeb685d836621ba6588c10d9c4c2b3837cd7ce6c43f72ea75196b7629e3af03056c75af37f37cfaa41e4883a9c5c91cdab225a0e82d86aab75a54c3d6ed01ba9478d9fecd443af
Command and Control Server
cookiemanager.ne[.]krnidiogln.ne[.]krnaverbox.pe[.]krcovd.2kool4u[.]netned.kesug[.]comwud.wuaze[.]comowna.loveslife[.]bizonline.korea.article-com[.]euevangelia[.]eduNational Secretary. Main[.] KoreaNational Pension Service. Server[.] KoreaNational Secretary. Community[.] KoreaNational Health Insurance Service. Confirmation. Server[.] KoreaPayment Due Date-Notice-Notice. Online[.] KoreaFinancial payment-guidance-document-confirmation.Web[.]KoreaNational Tax Service-Payment deadline-notification-guidance-guidance-confirmation.Online[.]KoreaNational Tax Service-Payment deadline-variation notice.re[.]krNaver-blog-post -Restriction-Guide.kro[.]kr185.27.134[.]201185.105.33[.]106185.27.134[.]140185.27.134[.]93185.27.134[.]120185.27.134[. ]144
