The North Korea-aligned menace actor generally known as Kimsuky has been linked to a collection of phishing assaults that contain sending electronic mail messages that originate from Russian sender addresses to in the end conduct credential theft.
“Phishing emails had been despatched primarily by means of electronic mail companies in Japan and Korea till early September,” South Korean cybersecurity firm Genians stated. “Then, from mid-September, some phishing emails disguised as in the event that they had been despatched from Russia had been noticed.”
This entails the abuse of VK’s Mail.ru electronic mail service, which helps 5 totally different alias domains, together with mail.ru, web.ru, bk.ru, inbox.ru, and record.ru.
Genians stated it has noticed the Kimsuky actors leveraging all of the aforementioned sender domains for phishing campaigns that masquerade as monetary establishments and web portals like Naver.
Different phishing assaults have entailed sending messages that mimic Naver’s MYBOX cloud storage service and intention to trick customers into clicking on hyperlinks by inducing a false sense of urgency that malicious information had been detected of their accounts and that they should delete them.
Variants of MYBOX-themed phishing emails have been recorded since late April 2024, with the early waves using Japanese, South Korea, and U.S. domains for sender addresses.
Whereas these messages had been ostensibly despatched from domains reminiscent of “mmbox[.]ru” and “ncloud[.]ru,” additional evaluation has revealed that the menace actor leveraged a compromised electronic mail server belonging to Evangelia College (evangelia[.]edu) to ship the messages utilizing a PHP-based mailer service referred to as Star.
It is value noting that Kimsuky’s use of reliable electronic mail instruments like PHPMailer and Star was beforehand documented by enterprise safety agency Proofpoint in November 2021.
The tip objective of those assaults, per Genians, is to hold out credential theft, which might then be used to hijack sufferer accounts and use them to launch follow-on assaults towards different staff or acquaintances.
Over time, Kimsuky has confirmed to be adept at conducting email-oriented social engineering campaigns, using methods to spoof electronic mail senders to seem as if they’re from trusted events, thus evading safety checks.
Earlier this 12 months, the U.S. authorities referred to as out the cyber actor for exploiting “improperly configured DNS Area-based Message Authentication, Reporting and Conformance (DMARC) document insurance policies to hide social engineering makes an attempt.”