Researchers from South Korea have discovered that the notorious North Korean hacking group, known as Kimsuky, has adapted its phishing tactics to use malwareless phishing attack tactics, which evade major EDR detection.
The group, which has been active for several years, is now employing new strategies to evade detection and compromise accounts of researchers and organizations focused on North Korea.
One of the most significant shifts in Kimsuky’s approach is the change in their email attack base. Previously, the group primarily used Japanese email services for their phishing campaigns.
.png
)
However, the report indicates that they have now moved to utilizing Russian email services, making it more challenging for targets to identify suspicious communications.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Malwareless Attacks on the Rise
The group has also been increasingly relying on malwareless attack strategies. These URL phishing attacks, which do not contain malware in the emails, are proving difficult to detect as threats.
The attackers are crafting convincing phishing emails that impersonate various entities, including:
- Electronic document civil service ‘National Secretary’
- Portal company email security managers
- Public institutions
- Financial institutions
Kimsuky’s phishing emails have become more sophisticated, often incorporating themes related to familiar financial matters to increase the likelihood of user interaction.
The group has been observed using domains from ‘MyDomain[.]Korea’, a free Korean domain registration service, to create convincing phishing sites.
The Genians report outlines a timeline of the group’s activities, noting that from April 2024, they used Japanese and US domains. They switched to Korean services by May, and by September, they were using Russian domains.
However, these Russian domains were found to be fabricated and registered through a phishing email sender known as ‘star 3.0’.
“On the VirusTotal screen, the file name is ‘1.doc’, and the detection name of some Anti-Malware services includes the keyword ‘Kimsuky’. And there are also many variants.”
Interestingly, the report draws connections between current activities and past campaigns.
A mailer titled ‘star 3.0’ was discovered on the website of Evangelia University, a US-based institution. Proofpoint previously identified this same mailer in a 2021 report, linking it to North Korean threat actors.
Implications and Recommendations
The evolving tactics of the Kimsuky group highlight the need for increased vigilance among potential targets. Cybersecurity experts recommend:
- Careful scrutiny of sender email addresses, especially those with Russian domains
- Verification of official communications, particularly those related to financial matters
- Implementation of robust endpoint detection and response (EDR) systems
- Regular updates to security policies based on the latest threat intelligence
As Kimsuky continues to refine its approach, organizations and individuals alike must remain alert to these sophisticated phishing attempts to protect sensitive information and maintain cybersecurity integrity.
Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.
Indicator of Compromise for SOC/DFIR Teams
MD5
adb30d4dd9e1bbe82392b4c01f561e46
b591cbd3f585dbb1b55f243d5a5982bc
d8249f33e07479ce9c0e44be73d3deac
0def51118a28987a929ba26c7413da29
2ff911b042e5d94dd78f744109851326
3cd67d99bcc8f3b959c255c9e8702e9f
6ead104743be6575e767986a71cf4bd9
7ca1a603a7440f1031c666afbe44afc8
658a8856d48aabc0ecfeb685d836621b
a6588c10d9c4c2b3837cd7ce6c43f72e
a75196b7629e3af03056c75af37f37cf
aa41e4883a9c5c91cdab225a0e82d86a
ab75a54c3d6ed01ba9478d9fecd443af
Command and Control Server
cookiemanager.ne[.]kr
nidiogln.ne[.]kr
naverbox.pe[.]kr
covd.2kool4u[.]net
ned.kesug[.]com
wud.wuaze[.]com
owna.loveslife[.]biz
online.korea.article-com[.]eu
evangelia[.]edu
National Secretary. Main[.] Korea
National Pension Service. Server[.] Korea
National Secretary. Community[.] Korea
National Health Insurance Service. Confirmation. Server[.] Korea
Payment Due Date-Notice-Notice. Online[.] Korea
Financial payment-guidance-document-confirmation.Web[.]Korea
National Tax Service-Payment deadline-notification-guidance-guidance-confirmation.Online[.]Korea
National Tax Service-Payment deadline-variation notice.re[.]kr
Naver-blog-post -Restriction-Guide.kro[.]kr
185.27.134[.]201
185.105.33[.]106
185.27.134[.]140
185.27.134[.]93
185.27.134[.]120
185.27.134[. ]144
