Analysis Summary

Kimsuky, a threat actor associated with North Korea, has been implicated in several phishing attacks that use email messages sent from Russian sender addresses to steal credentials. Up until early September, phishing emails were primarily transmitted over email providers in Korea and Japan. Then, starting in the middle of September, certain phishing emails that appeared to be from Russia were noticed.

VK's Mail.ru email service, which offers five distinct alias domains—mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru—is being abused in this way. According to the researchers, the Kimsuky actors have been using all of the sender domains described above for phishing attempts that pose as online portals and financial organizations, such as Naver.

Messages imitating Naver's MYBOX cloud storage service have been used in other phishing attempts to fool users into clicking on links by creating a false feeling of urgency that dangerous files have been found in their accounts and that they must be removed. Phishing emails with a MYBOX theme have been observed since late April 2024; the initial waves used sender addresses from South Korea, Japan, and the United States.

Although it was claimed that these messages were sent from domains like "mmbox[.]ru" and "ncloud[.]ru," additional investigation has shown that the threat actor used a compromised Evangelia University email server (evangelia[.]edu) to send the messages using a PHP-based mailer service called Star. It's important to note that researchers already confirmed Kimsuky's use of reputable email technologies like PHPMailer and Star in November 2021.

The ultimate objective of these attacks is credential theft, which may be used to take over victim accounts and use them to start subsequent attacks on other coworkers or friends. Kimsuky has demonstrated throughout the years that it is skilled at running email-focused social engineering campaigns, using methods to impersonate email senders to make them seem like they are from reliable sources in order to get beyond security checks.

Impact

• Credential Theft
• Identity Theft
• Unauthorized Access

Indicators of Compromise

Domain Name

• cookiemanager.ne.kr
• nidiogln.ne.kr
• online.korea.article-com.eu
• evangelia.edu

IP

• 185.27.134.201
• 185.105.33.106
• 185.27.134.140
• 185.27.134.93
• 185.27.134.120
• 185.27.134.144

MD5

• adb30d4dd9e1bbe82392b4c01f561e46
• b591cbd3f585dbb1b55f243d5a5982bc
• d8249f33e07479ce9c0e44be73d3deac
• 0def51118a28987a929ba26c7413da29
• 2ff911b042e5d94dd78f744109851326
• 3cd67d99bcc8f3b959c255c9e8702e9f
• 6ead104743be6575e767986a71cf4bd9
• 658a8856d48aabc0ecfeb685d836621b
• a6588c10d9c4c2b3837cd7ce6c43f72e
• a75196b7629e3af03056c75af37f37cf
• aa41e4883a9c5c91cdab225a0e82d86a
• ab75a54c3d6ed01ba9478d9fecd443af

SHA-256

• f408dee7fa76179d826885c5c6f38acbcc11f3e3abba1f1f58068cdf833b4317
• 0dc17133b9d54b8d38f5a4f4c49eb0cee7ff2c80b1ea614fb59ca49c3721440b
• 23c18fe6675b4dad5e1354718fa9bbb096ded4293948d318d0057b51642c4cbb
• 63c45dd760256bb2bee1eeb9e7d61601c90a752ff46832df39ca1a8d2376b281
• 82286cf6369eddd2e79d005a435623abe2db642c216d38550411865acf84210e
• 9255280904f85d01545d295a31038678d697325385be6c7c01435d541f16b043
• d1b5d606c866c304c3eb28fc52ed700c6b292e6e4387e0dac1a895e231bfe5b3
• 3b2701a7d49a8d6002a2a202bac9b18b4bc917009da01591ab5b66f183f9c8e9
• aead266f97c936799f4d5f526482d41f74daf86f8fcf49976eecbc6260b59274
• 327426b389a87fb41c5150f18c8a3b1b5c671eb08107a3a6917baea3db686555
• ac4f6bdd6d4ef009f1108c4c8a3d58e0a19d4f73b239202dd601b0aeba5ceb54
• bf838c2e46696f79964709e29880604d7172f2a3ab0f3f41d7ff8216f053c557

SHA1

• 84c2e2d5d61ed9148a0057e951fdea641901874d
• 41bff8875d1f83b3af52b65cb7ce8ebca0e30bfd
• 44b072d3948f06cdc0be573aa62ce3ca0b80da1e
• 76ed57d6451f634255c664a89f7a64a062923c05
• 08620755dabc0983eaf1320ac4c71d90b56ff1bb
• 7bb3e2671b8ad6e2e1ffb9e8b022dfd677fdd31a
• aabaea027236e8605f4b89e3d9e2206993398af2
• f8542e5567741c95a966cd1508c6d11ad0763440
• 598b8a9b7bb134bdbf34503e109ec66a18dbbfa9
• 9837e850f9800cff7d4fd26a2d9ccbaa1960d50b
• 9534d277d796890affadb3d3861d22a61bfdbbdd
• dd6bbd76378fce03e2b72c904832e576d4576354

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.