A recent investigation reveals that Kimsuky, a North Korean hacking group, has shifted its phishing tactics by utilizing Russian email addresses to steal user credentials. The findings come from South Korean cybersecurity firm Genians, which has been tracking the group's activities.
Until early September, the hackers primarily used Japanese and Korean email services for their phishing campaigns. However, by mid-September, they began masquerading as Russian senders, specifically exploiting VK's Mail.ru service and its various alias domains including mail.ru, internet.ru, bk.ru, inbox.ru, and list.ru.
The attackers have been impersonating financial institutions and popular internet portals like Naver. One notable scheme involves sending fake security alerts about malicious files in users' Naver MYBOX cloud storage accounts, creating urgency to trick users into clicking dangerous links.
The investigation uncovered that while some messages appeared to come from Russian domains like "mmbox.ru" and "ncloud.ru," the hackers actually utilized a compromised email server belonging to Evangelia University. They deployed a PHP-based mailer service called Star to execute these attacks.
The primary objective of these operations is credential theft, enabling the hackers to hijack user accounts and launch additional attacks against other targets. Kimsuky has demonstrated sophisticated capabilities in email-based social engineering, successfully spoofing trusted senders to bypass security measures.
Earlier this year, the U.S. government identified Kimsuky's exploitation of misconfigured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies, which allowed them to hide their social engineering attempts more effectively.
This latest development in Kimsuky's tactics highlights the evolving nature of cyber threats and the importance of maintaining vigilance against sophisticated phishing attempts, regardless of their apparent origin.