HQ/EMEAFind out how we can help your business
The notorious North Korean state-sponsored cybercriminal group Kimsuky is the alleged operator of a new phishing campaign.
These phishing attempts allegedly involve sending email messages using Russian sender addresses to steal credentials. Reports revealed that these phishing emails were primarily delivered via email services in Japan and Korea until early September.
In addition, the North Korean APT disguised some phishing emails as Russian-sent messages. Researchers noted that these emails involve exploiting VK’s Mail.ru email service, which offers five alternative alias domains.
They also claimed that threat actors use all five sender domains for phishing attempts, posing as financial institutions and internet portals.
On the other hand, some phishing efforts have involved sending messages that look like Naver’s MYBOX cloud storage service and attempting to trick users into clicking on links by creating a false sense of urgency that dangerous files have been identified in their accounts and must be immediately removed.
The new Kimsuky group phishing operation has also used MYBOX-themed emails.
Kimsuky has utilised variants of MYBOX-themed phishing emails initially detected in late April 2024. Early campaign versions used Japanese, South Korean, and American domains for sender addresses.
While these messages were supposedly sent from domains such as “ncloud[.]ru” and “mmbox[.]ru,” further investigation showed that the threat actor used a compromised email server belonging to an academic institution to send the messages via a PHP-based mailer service called Star.
Other researchers also noted that the attackers previously documented activity in November 2021 that utilised genuine email programs such as PHPMailer and Star.
Furthermore, the ultimate purpose of these attacks is to steal credentials, which the actors can use to hijack victim accounts and launch additional malicious activities that would target employees or other relevant individuals.
This notorious North Korean hacking group has shown its sophistication and proficiency in executing email-oriented social engineering campaigns, including tactics to spoof email senders so that they appear to be from trusted parties and bypass security checks.
Therefore, organisations and the public should know more about these phishing attacks to avoid malicious operations such as this new Kimsuky activity.
