The victims are then taken to a different website, which leads them to a PDF file stored on Google Drive that appears to be an invitation to the August Forum of the Asan Institute for Policy Studies. A non-target-specific phishing toolkit is also available on Kimsuky's phishing sites to collect Naver accounts. This toolkit functions as a basic proxy, similar to Evilginx, to take advantage of visitors' cookies and login credentials. It also displays pop-ups alerting users to the disruption of server connectivity and requesting them to log in again.

The investigation has also revealed that Kimsuky uses a unique PHPMailer program named SendMail, which is used to send phishing emails to targets via Gmail and Daum Mail accounts. It is advised that users use phishing-resistant multi-factor authentication (MFA) and carefully check the URLs before logging in to counter the threat.

Impact

• Cyber Espionage
• Credential Theft
• Identity Theft
• Unauthorized Access

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Carefully check the URLs before entering credentials or downloading software.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.